Sep 21 07:16:29.960872: FIPS Product: YES Sep 21 07:16:29.960911: FIPS Kernel: NO Sep 21 07:16:29.960914: FIPS Mode: NO Sep 21 07:16:29.960916: NSS DB directory: sql:/etc/ipsec.d Sep 21 07:16:29.961101: Initializing NSS Sep 21 07:16:29.961105: Opening NSS database "sql:/etc/ipsec.d" read-only Sep 21 07:16:30.008527: NSS initialized Sep 21 07:16:30.008541: NSS crypto library initialized Sep 21 07:16:30.008544: FIPS HMAC integrity support [enabled] Sep 21 07:16:30.008546: FIPS mode disabled for pluto daemon Sep 21 07:16:30.090124: FIPS HMAC integrity verification self-test FAILED Sep 21 07:16:30.090240: libcap-ng support [enabled] Sep 21 07:16:30.090250: Linux audit support [enabled] Sep 21 07:16:30.090280: Linux audit activated Sep 21 07:16:30.090287: Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:11641 Sep 21 07:16:30.090290: core dump dir: /tmp Sep 21 07:16:30.090292: secrets file: /etc/ipsec.secrets Sep 21 07:16:30.090294: leak-detective disabled Sep 21 07:16:30.090296: NSS crypto [enabled] Sep 21 07:16:30.090298: XAUTH PAM support [enabled] Sep 21 07:16:30.090372: | libevent is using pluto's memory allocator Sep 21 07:16:30.090378: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Sep 21 07:16:30.090391: | libevent_malloc: new ptr-libevent@0x563a2096e1e0 size 40 Sep 21 07:16:30.090398: | libevent_malloc: new ptr-libevent@0x563a2096f490 size 40 Sep 21 07:16:30.090401: | libevent_malloc: new ptr-libevent@0x563a2096f4c0 size 40 Sep 21 07:16:30.090404: | creating event base Sep 21 07:16:30.090407: | libevent_malloc: new ptr-libevent@0x563a2096f450 size 56 Sep 21 07:16:30.090410: | libevent_malloc: new ptr-libevent@0x563a2096f4f0 size 664 Sep 21 07:16:30.090421: | libevent_malloc: new ptr-libevent@0x563a2096f790 size 24 Sep 21 07:16:30.090424: | libevent_malloc: new ptr-libevent@0x563a20960e60 size 384 Sep 21 07:16:30.090434: | libevent_malloc: new ptr-libevent@0x563a2096f7b0 size 16 Sep 21 07:16:30.090437: | libevent_malloc: new ptr-libevent@0x563a2096f7d0 size 40 Sep 21 07:16:30.090439: | libevent_malloc: new ptr-libevent@0x563a2096f800 size 48 Sep 21 07:16:30.090446: | libevent_realloc: new ptr-libevent@0x563a208f1370 size 256 Sep 21 07:16:30.090449: | libevent_malloc: new ptr-libevent@0x563a2096f840 size 16 Sep 21 07:16:30.090454: | libevent_free: release ptr-libevent@0x563a2096f450 Sep 21 07:16:30.090458: | libevent initialized Sep 21 07:16:30.090462: | libevent_realloc: new ptr-libevent@0x563a2096f860 size 64 Sep 21 07:16:30.090468: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Sep 21 07:16:30.090482: | init_nat_traversal() initialized with keep_alive=0s Sep 21 07:16:30.090485: NAT-Traversal support [enabled] Sep 21 07:16:30.090487: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Sep 21 07:16:30.090493: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Sep 21 07:16:30.090497: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Sep 21 07:16:30.090532: | global one-shot timer EVENT_REVIVE_CONNS initialized Sep 21 07:16:30.090535: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Sep 21 07:16:30.090539: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Sep 21 07:16:30.090590: Encryption algorithms: Sep 21 07:16:30.090596: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Sep 21 07:16:30.090600: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Sep 21 07:16:30.090604: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Sep 21 07:16:30.090607: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Sep 21 07:16:30.090611: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Sep 21 07:16:30.090620: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Sep 21 07:16:30.090624: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Sep 21 07:16:30.090628: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Sep 21 07:16:30.090632: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Sep 21 07:16:30.090635: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Sep 21 07:16:30.090639: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Sep 21 07:16:30.090642: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Sep 21 07:16:30.090646: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Sep 21 07:16:30.090650: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Sep 21 07:16:30.090653: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Sep 21 07:16:30.090656: NULL IKEv1: ESP IKEv2: ESP [] Sep 21 07:16:30.090660: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Sep 21 07:16:30.090670: Hash algorithms: Sep 21 07:16:30.090673: MD5 IKEv1: IKE IKEv2: Sep 21 07:16:30.090676: SHA1 IKEv1: IKE IKEv2: FIPS sha Sep 21 07:16:30.090679: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Sep 21 07:16:30.090683: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Sep 21 07:16:30.090685: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Sep 21 07:16:30.090699: PRF algorithms: Sep 21 07:16:30.090702: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Sep 21 07:16:30.090705: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Sep 21 07:16:30.090709: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Sep 21 07:16:30.090712: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Sep 21 07:16:30.090715: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Sep 21 07:16:30.090718: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Sep 21 07:16:30.090744: Integrity algorithms: Sep 21 07:16:30.090748: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Sep 21 07:16:30.090752: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Sep 21 07:16:30.090756: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Sep 21 07:16:30.090760: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Sep 21 07:16:30.090765: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Sep 21 07:16:30.090767: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Sep 21 07:16:30.090771: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Sep 21 07:16:30.090774: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Sep 21 07:16:30.090777: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Sep 21 07:16:30.090794: DH algorithms: Sep 21 07:16:30.090800: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Sep 21 07:16:30.090803: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Sep 21 07:16:30.090806: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Sep 21 07:16:30.090812: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Sep 21 07:16:30.090815: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Sep 21 07:16:30.090818: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Sep 21 07:16:30.090821: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Sep 21 07:16:30.090824: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Sep 21 07:16:30.090827: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Sep 21 07:16:30.090830: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Sep 21 07:16:30.090833: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Sep 21 07:16:30.090836: testing CAMELLIA_CBC: Sep 21 07:16:30.090838: Camellia: 16 bytes with 128-bit key Sep 21 07:16:30.090959: Camellia: 16 bytes with 128-bit key Sep 21 07:16:30.090990: Camellia: 16 bytes with 256-bit key Sep 21 07:16:30.091020: Camellia: 16 bytes with 256-bit key Sep 21 07:16:30.091050: testing AES_GCM_16: Sep 21 07:16:30.091054: empty string Sep 21 07:16:30.091082: one block Sep 21 07:16:30.091107: two blocks Sep 21 07:16:30.091134: two blocks with associated data Sep 21 07:16:30.091161: testing AES_CTR: Sep 21 07:16:30.091164: Encrypting 16 octets using AES-CTR with 128-bit key Sep 21 07:16:30.091192: Encrypting 32 octets using AES-CTR with 128-bit key Sep 21 07:16:30.091219: Encrypting 36 octets using AES-CTR with 128-bit key Sep 21 07:16:30.091249: Encrypting 16 octets using AES-CTR with 192-bit key Sep 21 07:16:30.091277: Encrypting 32 octets using AES-CTR with 192-bit key Sep 21 07:16:30.091304: Encrypting 36 octets using AES-CTR with 192-bit key Sep 21 07:16:30.091331: Encrypting 16 octets using AES-CTR with 256-bit key Sep 21 07:16:30.091360: Encrypting 32 octets using AES-CTR with 256-bit key Sep 21 07:16:30.091386: Encrypting 36 octets using AES-CTR with 256-bit key Sep 21 07:16:30.091413: testing AES_CBC: Sep 21 07:16:30.091421: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Sep 21 07:16:30.091448: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Sep 21 07:16:30.091479: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Sep 21 07:16:30.091512: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Sep 21 07:16:30.091548: testing AES_XCBC: Sep 21 07:16:30.091553: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Sep 21 07:16:30.091686: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Sep 21 07:16:30.091828: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Sep 21 07:16:30.091962: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Sep 21 07:16:30.092105: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Sep 21 07:16:30.092244: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Sep 21 07:16:30.092382: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Sep 21 07:16:30.092678: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Sep 21 07:16:30.092812: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Sep 21 07:16:30.092944: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Sep 21 07:16:30.093181: testing HMAC_MD5: Sep 21 07:16:30.093187: RFC 2104: MD5_HMAC test 1 Sep 21 07:16:30.093371: RFC 2104: MD5_HMAC test 2 Sep 21 07:16:30.093529: RFC 2104: MD5_HMAC test 3 Sep 21 07:16:30.093715: 8 CPU cores online Sep 21 07:16:30.093719: starting up 7 crypto helpers Sep 21 07:16:30.093751: started thread for crypto helper 0 Sep 21 07:16:30.093769: started thread for crypto helper 1 Sep 21 07:16:30.093948: started thread for crypto helper 2 Sep 21 07:16:30.093977: started thread for crypto helper 3 Sep 21 07:16:30.093996: started thread for crypto helper 4 Sep 21 07:16:30.094013: started thread for crypto helper 5 Sep 21 07:16:30.094038: started thread for crypto helper 6 Sep 21 07:16:30.094047: | checking IKEv1 state table Sep 21 07:16:30.094055: | MAIN_R0: category: half-open IKE SA flags: 0: Sep 21 07:16:30.094057: | -> MAIN_R1 EVENT_SO_DISCARD Sep 21 07:16:30.094060: | MAIN_I1: category: half-open IKE SA flags: 0: Sep 21 07:16:30.094062: | -> MAIN_I2 EVENT_RETRANSMIT Sep 21 07:16:30.094065: | MAIN_R1: category: open IKE SA flags: 200: Sep 21 07:16:30.094067: | -> MAIN_R2 EVENT_RETRANSMIT Sep 21 07:16:30.094070: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:30.094072: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:30.094075: | MAIN_I2: category: open IKE SA flags: 0: Sep 21 07:16:30.094077: | -> MAIN_I3 EVENT_RETRANSMIT Sep 21 07:16:30.094079: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:30.094081: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:16:30.094084: | MAIN_R2: category: open IKE SA flags: 0: Sep 21 07:16:30.094086: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:16:30.094089: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:16:30.094091: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:16:30.094093: | MAIN_I3: category: open IKE SA flags: 0: Sep 21 07:16:30.094096: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:16:30.094101: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:16:30.094104: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:16:30.094108: | MAIN_R3: category: established IKE SA flags: 200: Sep 21 07:16:30.094110: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.094114: | MAIN_I4: category: established IKE SA flags: 0: Sep 21 07:16:30.094116: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.094118: | AGGR_R0: category: half-open IKE SA flags: 0: Sep 21 07:16:30.094121: | -> AGGR_R1 EVENT_SO_DISCARD Sep 21 07:16:30.094123: | AGGR_I1: category: half-open IKE SA flags: 0: Sep 21 07:16:30.094125: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:16:30.094128: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:16:30.094131: | AGGR_R1: category: open IKE SA flags: 200: Sep 21 07:16:30.094136: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:16:30.094139: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:16:30.094143: | AGGR_I2: category: established IKE SA flags: 200: Sep 21 07:16:30.094145: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.094148: | AGGR_R2: category: established IKE SA flags: 0: Sep 21 07:16:30.094150: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.094153: | QUICK_R0: category: established CHILD SA flags: 0: Sep 21 07:16:30.094155: | -> QUICK_R1 EVENT_RETRANSMIT Sep 21 07:16:30.094158: | QUICK_I1: category: established CHILD SA flags: 0: Sep 21 07:16:30.094161: | -> QUICK_I2 EVENT_SA_REPLACE Sep 21 07:16:30.094163: | QUICK_R1: category: established CHILD SA flags: 0: Sep 21 07:16:30.094166: | -> QUICK_R2 EVENT_SA_REPLACE Sep 21 07:16:30.094169: | QUICK_I2: category: established CHILD SA flags: 200: Sep 21 07:16:30.094171: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.094174: | QUICK_R2: category: established CHILD SA flags: 0: Sep 21 07:16:30.094176: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.094179: | INFO: category: informational flags: 0: Sep 21 07:16:30.094181: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.094184: | INFO_PROTECTED: category: informational flags: 0: Sep 21 07:16:30.094186: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.094189: | XAUTH_R0: category: established IKE SA flags: 0: Sep 21 07:16:30.094191: | -> XAUTH_R1 EVENT_NULL Sep 21 07:16:30.094194: | XAUTH_R1: category: established IKE SA flags: 0: Sep 21 07:16:30.094196: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:16:30.094199: | MODE_CFG_R0: category: informational flags: 0: Sep 21 07:16:30.094202: | -> MODE_CFG_R1 EVENT_SA_REPLACE Sep 21 07:16:30.094205: | MODE_CFG_R1: category: established IKE SA flags: 0: Sep 21 07:16:30.094207: | -> MODE_CFG_R2 EVENT_SA_REPLACE Sep 21 07:16:30.094210: | MODE_CFG_R2: category: established IKE SA flags: 0: Sep 21 07:16:30.094212: | -> UNDEFINED EVENT_NULL Sep 21 07:16:30.094215: | MODE_CFG_I1: category: established IKE SA flags: 0: Sep 21 07:16:30.094220: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:16:30.094223: | XAUTH_I0: category: established IKE SA flags: 0: Sep 21 07:16:30.094226: | -> XAUTH_I1 EVENT_RETRANSMIT Sep 21 07:16:30.094228: | XAUTH_I1: category: established IKE SA flags: 0: Sep 21 07:16:30.094231: | -> MAIN_I4 EVENT_RETRANSMIT Sep 21 07:16:30.094237: | checking IKEv2 state table Sep 21 07:16:30.094243: | PARENT_I0: category: ignore flags: 0: Sep 21 07:16:30.094246: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Sep 21 07:16:30.094249: | PARENT_I1: category: half-open IKE SA flags: 0: Sep 21 07:16:30.094252: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Sep 21 07:16:30.094254: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Sep 21 07:16:30.094257: | PARENT_I2: category: open IKE SA flags: 0: Sep 21 07:16:30.094260: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Sep 21 07:16:30.094263: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Sep 21 07:16:30.094266: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Sep 21 07:16:30.094268: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Sep 21 07:16:30.094271: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Sep 21 07:16:30.094273: | PARENT_I3: category: established IKE SA flags: 0: Sep 21 07:16:30.094276: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Sep 21 07:16:30.094278: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Sep 21 07:16:30.094280: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Sep 21 07:16:30.094282: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Sep 21 07:16:30.094284: | PARENT_R0: category: half-open IKE SA flags: 0: Sep 21 07:16:30.094286: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Sep 21 07:16:30.094288: | PARENT_R1: category: half-open IKE SA flags: 0: Sep 21 07:16:30.094291: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Sep 21 07:16:30.094293: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Sep 21 07:16:30.094295: | PARENT_R2: category: established IKE SA flags: 0: Sep 21 07:16:30.094297: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Sep 21 07:16:30.094300: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Sep 21 07:16:30.094302: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Sep 21 07:16:30.094304: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Sep 21 07:16:30.094307: | V2_CREATE_I0: category: established IKE SA flags: 0: Sep 21 07:16:30.094309: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Sep 21 07:16:30.094312: | V2_CREATE_I: category: established IKE SA flags: 0: Sep 21 07:16:30.094314: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Sep 21 07:16:30.094316: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Sep 21 07:16:30.094318: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Sep 21 07:16:30.094321: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Sep 21 07:16:30.094323: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Sep 21 07:16:30.094325: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Sep 21 07:16:30.094328: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Sep 21 07:16:30.094330: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Sep 21 07:16:30.094333: | V2_CREATE_R: category: established IKE SA flags: 0: Sep 21 07:16:30.094335: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Sep 21 07:16:30.094340: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Sep 21 07:16:30.094343: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Sep 21 07:16:30.094346: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Sep 21 07:16:30.094348: | V2_IPSEC_I: category: established CHILD SA flags: 0: Sep 21 07:16:30.094351: | V2_IPSEC_R: category: established CHILD SA flags: 0: Sep 21 07:16:30.094353: | IKESA_DEL: category: established IKE SA flags: 0: Sep 21 07:16:30.094355: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Sep 21 07:16:30.094358: | CHILDSA_DEL: category: informational flags: 0: Sep 21 07:16:30.094404: | starting up helper thread 1 Sep 21 07:16:30.094416: | starting up helper thread 0 Sep 21 07:16:30.094410: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ Sep 21 07:16:30.094468: | status value returned by setting the priority of this thread (crypto helper 0) 22 Sep 21 07:16:30.094472: | crypto helper 0 waiting (nothing to do) Sep 21 07:16:30.094477: | starting up helper thread 2 Sep 21 07:16:30.094483: | status value returned by setting the priority of this thread (crypto helper 2) 22 Sep 21 07:16:30.094485: | crypto helper 2 waiting (nothing to do) Sep 21 07:16:30.094495: | starting up helper thread 3 Sep 21 07:16:30.094500: | status value returned by setting the priority of this thread (crypto helper 3) 22 Sep 21 07:16:30.094503: | crypto helper 3 waiting (nothing to do) Sep 21 07:16:30.094510: | starting up helper thread 5 Sep 21 07:16:30.094515: | status value returned by setting the priority of this thread (crypto helper 5) 22 Sep 21 07:16:30.094517: | crypto helper 5 waiting (nothing to do) Sep 21 07:16:30.094423: | status value returned by setting the priority of this thread (crypto helper 1) 22 Sep 21 07:16:30.094738: | crypto helper 1 waiting (nothing to do) Sep 21 07:16:30.094747: | starting up helper thread 6 Sep 21 07:16:30.094754: | status value returned by setting the priority of this thread (crypto helper 6) 22 Sep 21 07:16:30.094756: | crypto helper 6 waiting (nothing to do) Sep 21 07:16:30.095964: | starting up helper thread 4 Sep 21 07:16:30.095979: | status value returned by setting the priority of this thread (crypto helper 4) 22 Sep 21 07:16:30.095983: | crypto helper 4 waiting (nothing to do) Sep 21 07:16:30.096064: | Hard-wiring algorithms Sep 21 07:16:30.096071: | adding AES_CCM_16 to kernel algorithm db Sep 21 07:16:30.096077: | adding AES_CCM_12 to kernel algorithm db Sep 21 07:16:30.096079: | adding AES_CCM_8 to kernel algorithm db Sep 21 07:16:30.096081: | adding 3DES_CBC to kernel algorithm db Sep 21 07:16:30.096083: | adding CAMELLIA_CBC to kernel algorithm db Sep 21 07:16:30.096085: | adding AES_GCM_16 to kernel algorithm db Sep 21 07:16:30.096087: | adding AES_GCM_12 to kernel algorithm db Sep 21 07:16:30.096090: | adding AES_GCM_8 to kernel algorithm db Sep 21 07:16:30.096092: | adding AES_CTR to kernel algorithm db Sep 21 07:16:30.096095: | adding AES_CBC to kernel algorithm db Sep 21 07:16:30.096097: | adding SERPENT_CBC to kernel algorithm db Sep 21 07:16:30.096099: | adding TWOFISH_CBC to kernel algorithm db Sep 21 07:16:30.096102: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Sep 21 07:16:30.096104: | adding NULL to kernel algorithm db Sep 21 07:16:30.096106: | adding CHACHA20_POLY1305 to kernel algorithm db Sep 21 07:16:30.096108: | adding HMAC_MD5_96 to kernel algorithm db Sep 21 07:16:30.096111: | adding HMAC_SHA1_96 to kernel algorithm db Sep 21 07:16:30.096113: | adding HMAC_SHA2_512_256 to kernel algorithm db Sep 21 07:16:30.096115: | adding HMAC_SHA2_384_192 to kernel algorithm db Sep 21 07:16:30.096117: | adding HMAC_SHA2_256_128 to kernel algorithm db Sep 21 07:16:30.096119: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Sep 21 07:16:30.096122: | adding AES_XCBC_96 to kernel algorithm db Sep 21 07:16:30.096124: | adding AES_CMAC_96 to kernel algorithm db Sep 21 07:16:30.096126: | adding NONE to kernel algorithm db Sep 21 07:16:30.096157: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Sep 21 07:16:30.096166: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Sep 21 07:16:30.096168: | setup kernel fd callback Sep 21 07:16:30.096171: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x563a20974f00 Sep 21 07:16:30.096175: | libevent_malloc: new ptr-libevent@0x563a20981020 size 128 Sep 21 07:16:30.096178: | libevent_malloc: new ptr-libevent@0x563a209741e0 size 16 Sep 21 07:16:30.096185: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x563a20974ec0 Sep 21 07:16:30.096188: | libevent_malloc: new ptr-libevent@0x563a209810b0 size 128 Sep 21 07:16:30.096191: | libevent_malloc: new ptr-libevent@0x563a20974200 size 16 Sep 21 07:16:30.096499: | global one-shot timer EVENT_CHECK_CRLS initialized Sep 21 07:16:30.096509: selinux support is enabled. Sep 21 07:16:30.096591: systemd watchdog not enabled - not sending watchdog keepalives Sep 21 07:16:30.096782: | unbound context created - setting debug level to 5 Sep 21 07:16:30.096823: | /etc/hosts lookups activated Sep 21 07:16:30.096840: | /etc/resolv.conf usage activated Sep 21 07:16:30.096903: | outgoing-port-avoid set 0-65535 Sep 21 07:16:30.096933: | outgoing-port-permit set 32768-60999 Sep 21 07:16:30.096936: | Loading dnssec root key from:/var/lib/unbound/root.key Sep 21 07:16:30.096939: | No additional dnssec trust anchors defined via dnssec-trusted= option Sep 21 07:16:30.096942: | Setting up events, loop start Sep 21 07:16:30.096945: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x563a2096f450 Sep 21 07:16:30.096949: | libevent_malloc: new ptr-libevent@0x563a2098b5a0 size 128 Sep 21 07:16:30.096952: | libevent_malloc: new ptr-libevent@0x563a2098b630 size 16 Sep 21 07:16:30.096958: | libevent_realloc: new ptr-libevent@0x563a208ef6c0 size 256 Sep 21 07:16:30.096961: | libevent_malloc: new ptr-libevent@0x563a2098b650 size 8 Sep 21 07:16:30.096964: | libevent_realloc: new ptr-libevent@0x563a20980420 size 144 Sep 21 07:16:30.096967: | libevent_malloc: new ptr-libevent@0x563a2098b670 size 152 Sep 21 07:16:30.096970: | libevent_malloc: new ptr-libevent@0x563a2098b710 size 16 Sep 21 07:16:30.096974: | signal event handler PLUTO_SIGCHLD installed Sep 21 07:16:30.096977: | libevent_malloc: new ptr-libevent@0x563a2098b730 size 8 Sep 21 07:16:30.096980: | libevent_malloc: new ptr-libevent@0x563a2098b750 size 152 Sep 21 07:16:30.096982: | signal event handler PLUTO_SIGTERM installed Sep 21 07:16:30.096985: | libevent_malloc: new ptr-libevent@0x563a2098b7f0 size 8 Sep 21 07:16:30.096988: | libevent_malloc: new ptr-libevent@0x563a2098b810 size 152 Sep 21 07:16:30.096991: | signal event handler PLUTO_SIGHUP installed Sep 21 07:16:30.096993: | libevent_malloc: new ptr-libevent@0x563a2098b8b0 size 8 Sep 21 07:16:30.096996: | libevent_realloc: release ptr-libevent@0x563a20980420 Sep 21 07:16:30.096999: | libevent_realloc: new ptr-libevent@0x563a2098b8d0 size 256 Sep 21 07:16:30.097001: | libevent_malloc: new ptr-libevent@0x563a20980420 size 152 Sep 21 07:16:30.097004: | signal event handler PLUTO_SIGSYS installed Sep 21 07:16:30.097345: | created addconn helper (pid:11774) using fork+execve Sep 21 07:16:30.097357: | forked child 11774 Sep 21 07:16:30.097397: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.097412: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:16:30.097421: listening for IKE messages Sep 21 07:16:30.097456: | Inspecting interface lo Sep 21 07:16:30.097462: | found lo with address 127.0.0.1 Sep 21 07:16:30.097465: | Inspecting interface eth0 Sep 21 07:16:30.097469: | found eth0 with address 192.0.2.254 Sep 21 07:16:30.097471: | Inspecting interface eth0 Sep 21 07:16:30.097475: | found eth0 with address 192.0.22.251 Sep 21 07:16:30.097477: | Inspecting interface eth0 Sep 21 07:16:30.097481: | found eth0 with address 192.0.22.254 Sep 21 07:16:30.097483: | Inspecting interface eth0 Sep 21 07:16:30.097487: | found eth0 with address 192.0.2.251 Sep 21 07:16:30.097494: | Inspecting interface eth1 Sep 21 07:16:30.097497: | found eth1 with address 192.1.2.23 Sep 21 07:16:30.097544: Kernel supports NIC esp-hw-offload Sep 21 07:16:30.097553: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Sep 21 07:16:30.097578: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:30.097583: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:30.097587: adding interface eth1/eth1 192.1.2.23:4500 Sep 21 07:16:30.097610: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.251:500 Sep 21 07:16:30.097630: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:30.097634: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:30.097637: adding interface eth0/eth0 192.0.2.251:4500 Sep 21 07:16:30.097659: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.22.254:500 Sep 21 07:16:30.097679: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:30.097682: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:30.097686: adding interface eth0/eth0 192.0.22.254:4500 Sep 21 07:16:30.097707: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.22.251:500 Sep 21 07:16:30.097727: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:30.097731: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:30.097734: adding interface eth0/eth0 192.0.22.251:4500 Sep 21 07:16:30.097756: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Sep 21 07:16:30.097775: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:30.097778: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:30.097782: adding interface eth0/eth0 192.0.2.254:4500 Sep 21 07:16:30.097815: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Sep 21 07:16:30.097834: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:16:30.097837: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:16:30.097841: adding interface lo/lo 127.0.0.1:4500 Sep 21 07:16:30.097898: | no interfaces to sort Sep 21 07:16:30.097902: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:16:30.097915: | add_fd_read_event_handler: new ethX-pe@0x563a2098bfe0 Sep 21 07:16:30.097919: | libevent_malloc: new ptr-libevent@0x563a2098c020 size 128 Sep 21 07:16:30.097922: | libevent_malloc: new ptr-libevent@0x563a2098c0b0 size 16 Sep 21 07:16:30.097931: | setup callback for interface lo 127.0.0.1:4500 fd 28 Sep 21 07:16:30.097934: | add_fd_read_event_handler: new ethX-pe@0x563a2098c0d0 Sep 21 07:16:30.097936: | libevent_malloc: new ptr-libevent@0x563a2098c110 size 128 Sep 21 07:16:30.097939: | libevent_malloc: new ptr-libevent@0x563a2098c1a0 size 16 Sep 21 07:16:30.097943: | setup callback for interface lo 127.0.0.1:500 fd 27 Sep 21 07:16:30.097946: | add_fd_read_event_handler: new ethX-pe@0x563a2098c1c0 Sep 21 07:16:30.097948: | libevent_malloc: new ptr-libevent@0x563a2098c200 size 128 Sep 21 07:16:30.097951: | libevent_malloc: new ptr-libevent@0x563a2098c290 size 16 Sep 21 07:16:30.097955: | setup callback for interface eth0 192.0.2.254:4500 fd 26 Sep 21 07:16:30.097958: | add_fd_read_event_handler: new ethX-pe@0x563a2098c2b0 Sep 21 07:16:30.097961: | libevent_malloc: new ptr-libevent@0x563a2098c2f0 size 128 Sep 21 07:16:30.097963: | libevent_malloc: new ptr-libevent@0x563a2098c380 size 16 Sep 21 07:16:30.097968: | setup callback for interface eth0 192.0.2.254:500 fd 25 Sep 21 07:16:30.097971: | add_fd_read_event_handler: new ethX-pe@0x563a2098c3a0 Sep 21 07:16:30.097973: | libevent_malloc: new ptr-libevent@0x563a2098ca60 size 128 Sep 21 07:16:30.097976: | libevent_malloc: new ptr-libevent@0x563a2098caf0 size 16 Sep 21 07:16:30.097980: | setup callback for interface eth0 192.0.22.251:4500 fd 24 Sep 21 07:16:30.097983: | add_fd_read_event_handler: new ethX-pe@0x563a2098cb10 Sep 21 07:16:30.097988: | libevent_malloc: new ptr-libevent@0x563a2098cb50 size 128 Sep 21 07:16:30.097991: | libevent_malloc: new ptr-libevent@0x563a2098cbe0 size 16 Sep 21 07:16:30.097995: | setup callback for interface eth0 192.0.22.251:500 fd 23 Sep 21 07:16:30.097998: | add_fd_read_event_handler: new ethX-pe@0x563a2098cc00 Sep 21 07:16:30.098001: | libevent_malloc: new ptr-libevent@0x563a2098cc40 size 128 Sep 21 07:16:30.098003: | libevent_malloc: new ptr-libevent@0x563a2098ccd0 size 16 Sep 21 07:16:30.098008: | setup callback for interface eth0 192.0.22.254:4500 fd 22 Sep 21 07:16:30.098010: | add_fd_read_event_handler: new ethX-pe@0x563a2098ccf0 Sep 21 07:16:30.098013: | libevent_malloc: new ptr-libevent@0x563a2098cd30 size 128 Sep 21 07:16:30.098015: | libevent_malloc: new ptr-libevent@0x563a2098cdc0 size 16 Sep 21 07:16:30.098019: | setup callback for interface eth0 192.0.22.254:500 fd 21 Sep 21 07:16:30.098022: | add_fd_read_event_handler: new ethX-pe@0x563a2098cde0 Sep 21 07:16:30.098025: | libevent_malloc: new ptr-libevent@0x563a2098ce20 size 128 Sep 21 07:16:30.098027: | libevent_malloc: new ptr-libevent@0x563a2098ceb0 size 16 Sep 21 07:16:30.098032: | setup callback for interface eth0 192.0.2.251:4500 fd 20 Sep 21 07:16:30.098034: | add_fd_read_event_handler: new ethX-pe@0x563a2098ced0 Sep 21 07:16:30.098037: | libevent_malloc: new ptr-libevent@0x563a2098cf10 size 128 Sep 21 07:16:30.098039: | libevent_malloc: new ptr-libevent@0x563a2098cfa0 size 16 Sep 21 07:16:30.098044: | setup callback for interface eth0 192.0.2.251:500 fd 19 Sep 21 07:16:30.098047: | add_fd_read_event_handler: new ethX-pe@0x563a2098cfc0 Sep 21 07:16:30.098051: | libevent_malloc: new ptr-libevent@0x563a2098d000 size 128 Sep 21 07:16:30.098054: | libevent_malloc: new ptr-libevent@0x563a2098d090 size 16 Sep 21 07:16:30.098058: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:16:30.098061: | add_fd_read_event_handler: new ethX-pe@0x563a2098d0b0 Sep 21 07:16:30.098063: | libevent_malloc: new ptr-libevent@0x563a2098d0f0 size 128 Sep 21 07:16:30.098066: | libevent_malloc: new ptr-libevent@0x563a2098d180 size 16 Sep 21 07:16:30.098070: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:16:30.098075: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:16:30.098078: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:16:30.098175: loading secrets from "/etc/ipsec.secrets" Sep 21 07:16:30.098198: | saving Modulus Sep 21 07:16:30.098203: | saving PublicExponent Sep 21 07:16:30.098207: | ignoring PrivateExponent Sep 21 07:16:30.098210: | ignoring Prime1 Sep 21 07:16:30.098213: | ignoring Prime2 Sep 21 07:16:30.098216: | ignoring Exponent1 Sep 21 07:16:30.098219: | ignoring Exponent2 Sep 21 07:16:30.098222: | ignoring Coefficient Sep 21 07:16:30.098225: | ignoring CKAIDNSS Sep 21 07:16:30.098263: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:16:30.098266: | computed rsa CKAID 8a 82 25 f1 Sep 21 07:16:30.098270: loaded private key for keyid: PKK_RSA:AQO9bJbr3 Sep 21 07:16:30.098275: | certs and keys locked by 'process_secret' Sep 21 07:16:30.098279: | certs and keys unlocked by 'process_secret' Sep 21 07:16:30.098285: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:16:30.098292: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.098301: | spent 0.842 milliseconds in whack Sep 21 07:16:30.137078: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.137097: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:30.137100: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:16:30.137102: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:30.137103: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:16:30.137106: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:30.137112: | Added new connection north-eastnets/0x1 with policy ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:16:30.137119: | No AUTH policy was set - defaulting to RSASIG Sep 21 07:16:30.137138: | ike (phase1) algorithm values: AES_CBC_256-HMAC_SHA2_256-MODP2048 Sep 21 07:16:30.137140: | from whack: got --esp=aes128-sha2_512;modp3072 Sep 21 07:16:30.137152: | ESP/AH string values: AES_CBC_128-HMAC_SHA2_512_256-MODP3072 Sep 21 07:16:30.137157: | counting wild cards for @north is 0 Sep 21 07:16:30.137209: | counting wild cards for @east is 0 Sep 21 07:16:30.137221: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@(nil): none Sep 21 07:16:30.137225: | new hp@0x563a209585d0 Sep 21 07:16:30.137229: added connection description "north-eastnets/0x1" Sep 21 07:16:30.137242: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:16:30.137254: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.3.33<192.1.3.33>[@north]===192.0.3.0/24 Sep 21 07:16:30.137262: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.137269: | spent 0.155 milliseconds in whack Sep 21 07:16:30.137298: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.137306: add keyid @north Sep 21 07:16:30.137310: | add pubkey 01 03 e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab Sep 21 07:16:30.137311: | add pubkey 7f ec 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 Sep 21 07:16:30.137313: | add pubkey 93 9e 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 Sep 21 07:16:30.137314: | add pubkey 01 03 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 Sep 21 07:16:30.137315: | add pubkey 10 84 b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 Sep 21 07:16:30.137317: | add pubkey f4 6b 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f Sep 21 07:16:30.137318: | add pubkey 25 b4 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e Sep 21 07:16:30.137320: | add pubkey c8 16 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 Sep 21 07:16:30.137321: | add pubkey cc 92 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 Sep 21 07:16:30.137322: | add pubkey 13 0f 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 Sep 21 07:16:30.137324: | add pubkey 39 f9 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d Sep 21 07:16:30.137325: | add pubkey 9e ca 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 Sep 21 07:16:30.137327: | add pubkey ba 64 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 Sep 21 07:16:30.137328: | add pubkey 9c 85 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 Sep 21 07:16:30.137329: | add pubkey 61 eb 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 Sep 21 07:16:30.137331: | add pubkey 83 c2 d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca Sep 21 07:16:30.137332: | add pubkey f5 38 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 Sep 21 07:16:30.137334: | add pubkey c7 5e a5 99 Sep 21 07:16:30.137354: | computed rsa CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Sep 21 07:16:30.137355: | computed rsa CKAID 88 aa 7c 5d Sep 21 07:16:30.137360: | keyid: *AQPl33O2P Sep 21 07:16:30.137362: | n e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab 7f ec Sep 21 07:16:30.137363: | n 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 93 9e Sep 21 07:16:30.137364: | n 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 01 03 Sep 21 07:16:30.137366: | n 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 10 84 Sep 21 07:16:30.137367: | n b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 f4 6b Sep 21 07:16:30.137369: | n 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f 25 b4 Sep 21 07:16:30.137370: | n 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e c8 16 Sep 21 07:16:30.137371: | n 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 cc 92 Sep 21 07:16:30.137373: | n 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 13 0f Sep 21 07:16:30.137374: | n 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 39 f9 Sep 21 07:16:30.137375: | n 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d 9e ca Sep 21 07:16:30.137377: | n 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 ba 64 Sep 21 07:16:30.137381: | n 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 9c 85 Sep 21 07:16:30.137382: | n 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 61 eb Sep 21 07:16:30.137384: | n 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 83 c2 Sep 21 07:16:30.137385: | n d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca f5 38 Sep 21 07:16:30.137386: | n 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 c7 5e Sep 21 07:16:30.137388: | n a5 99 Sep 21 07:16:30.137389: | e 03 Sep 21 07:16:30.137391: | CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Sep 21 07:16:30.137392: | CKAID 88 aa 7c 5d Sep 21 07:16:30.137398: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.137402: | spent 0.107 milliseconds in whack Sep 21 07:16:30.137429: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.137436: add keyid @east Sep 21 07:16:30.137439: | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Sep 21 07:16:30.137440: | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Sep 21 07:16:30.137442: | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Sep 21 07:16:30.137443: | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Sep 21 07:16:30.137445: | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Sep 21 07:16:30.137446: | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Sep 21 07:16:30.137447: | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Sep 21 07:16:30.137449: | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Sep 21 07:16:30.137450: | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Sep 21 07:16:30.137452: | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Sep 21 07:16:30.137453: | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Sep 21 07:16:30.137454: | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Sep 21 07:16:30.137456: | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Sep 21 07:16:30.137457: | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Sep 21 07:16:30.137459: | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Sep 21 07:16:30.137460: | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Sep 21 07:16:30.137461: | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Sep 21 07:16:30.137463: | add pubkey 51 51 48 ef Sep 21 07:16:30.137470: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:16:30.137472: | computed rsa CKAID 8a 82 25 f1 Sep 21 07:16:30.137474: | keyid: *AQO9bJbr3 Sep 21 07:16:30.137475: | n bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b e5 16 Sep 21 07:16:30.137477: | n c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 85 7a Sep 21 07:16:30.137478: | n e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c 78 ca Sep 21 07:16:30.137480: | n 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 21 c9 Sep 21 07:16:30.137481: | n f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d d2 67 Sep 21 07:16:30.137482: | n 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 62 cd Sep 21 07:16:30.137484: | n 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce 62 b5 Sep 21 07:16:30.137485: | n af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e bb 23 Sep 21 07:16:30.137486: | n 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d ac 47 Sep 21 07:16:30.137488: | n f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce e0 98 Sep 21 07:16:30.137489: | n 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a 92 b8 Sep 21 07:16:30.137490: | n 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 4d 58 Sep 21 07:16:30.137492: | n 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 5f 56 Sep 21 07:16:30.137493: | n 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 d5 f1 Sep 21 07:16:30.137495: | n 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c 47 cc Sep 21 07:16:30.137496: | n 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 07 8f Sep 21 07:16:30.137497: | n 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 51 51 Sep 21 07:16:30.137501: | n 48 ef Sep 21 07:16:30.137502: | e 03 Sep 21 07:16:30.137504: | CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:16:30.137505: | CKAID 8a 82 25 f1 Sep 21 07:16:30.137510: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.137515: | spent 0.0883 milliseconds in whack Sep 21 07:16:30.137537: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.137543: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:30.137546: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:16:30.137547: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:30.137549: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:16:30.137551: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:30.137554: | Added new connection north-eastnets/0x2 with policy ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:16:30.137556: | No AUTH policy was set - defaulting to RSASIG Sep 21 07:16:30.137567: | ike (phase1) algorithm values: AES_CBC_256-HMAC_SHA2_256-MODP2048 Sep 21 07:16:30.137569: | from whack: got --esp=aes128-sha2_512;modp3072 Sep 21 07:16:30.137580: | ESP/AH string values: AES_CBC_128-HMAC_SHA2_512_256-MODP3072 Sep 21 07:16:30.137583: | counting wild cards for @north is 0 Sep 21 07:16:30.137586: | counting wild cards for @east is 0 Sep 21 07:16:30.137592: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:16:30.137597: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@0x563a209585d0: north-eastnets/0x1 Sep 21 07:16:30.137599: added connection description "north-eastnets/0x2" Sep 21 07:16:30.137609: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:16:30.137620: | 192.0.22.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.3.33<192.1.3.33>[@north]===192.0.3.0/24 Sep 21 07:16:30.137627: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.137632: | spent 0.0975 milliseconds in whack Sep 21 07:16:30.137668: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.137677: add keyid @north Sep 21 07:16:30.137681: | unreference key: 0x563a20914f60 @north cnt 1-- Sep 21 07:16:30.137684: | add pubkey 01 03 e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab Sep 21 07:16:30.137687: | add pubkey 7f ec 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 Sep 21 07:16:30.137689: | add pubkey 93 9e 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 Sep 21 07:16:30.137691: | add pubkey 01 03 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 Sep 21 07:16:30.137693: | add pubkey 10 84 b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 Sep 21 07:16:30.137695: | add pubkey f4 6b 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f Sep 21 07:16:30.137698: | add pubkey 25 b4 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e Sep 21 07:16:30.137700: | add pubkey c8 16 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 Sep 21 07:16:30.137702: | add pubkey cc 92 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 Sep 21 07:16:30.137704: | add pubkey 13 0f 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 Sep 21 07:16:30.137707: | add pubkey 39 f9 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d Sep 21 07:16:30.137709: | add pubkey 9e ca 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 Sep 21 07:16:30.137711: | add pubkey ba 64 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 Sep 21 07:16:30.137713: | add pubkey 9c 85 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 Sep 21 07:16:30.137716: | add pubkey 61 eb 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 Sep 21 07:16:30.137718: | add pubkey 83 c2 d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca Sep 21 07:16:30.137720: | add pubkey f5 38 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 Sep 21 07:16:30.137722: | add pubkey c7 5e a5 99 Sep 21 07:16:30.137731: | computed rsa CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Sep 21 07:16:30.137736: | computed rsa CKAID 88 aa 7c 5d Sep 21 07:16:30.137740: | keyid: *AQPl33O2P Sep 21 07:16:30.137743: | n e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab 7f ec Sep 21 07:16:30.137745: | n 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 93 9e Sep 21 07:16:30.137747: | n 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 01 03 Sep 21 07:16:30.137749: | n 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 10 84 Sep 21 07:16:30.137752: | n b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 f4 6b Sep 21 07:16:30.137754: | n 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f 25 b4 Sep 21 07:16:30.137756: | n 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e c8 16 Sep 21 07:16:30.137758: | n 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 cc 92 Sep 21 07:16:30.137760: | n 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 13 0f Sep 21 07:16:30.137763: | n 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 39 f9 Sep 21 07:16:30.137765: | n 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d 9e ca Sep 21 07:16:30.137767: | n 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 ba 64 Sep 21 07:16:30.137769: | n 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 9c 85 Sep 21 07:16:30.137771: | n 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 61 eb Sep 21 07:16:30.137773: | n 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 83 c2 Sep 21 07:16:30.137776: | n d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca f5 38 Sep 21 07:16:30.137778: | n 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 c7 5e Sep 21 07:16:30.137780: | n a5 99 Sep 21 07:16:30.137782: | e 03 Sep 21 07:16:30.137792: | CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Sep 21 07:16:30.137794: | CKAID 88 aa 7c 5d Sep 21 07:16:30.137802: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.137806: | spent 0.137 milliseconds in whack Sep 21 07:16:30.137844: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.137852: add keyid @east Sep 21 07:16:30.137856: | unreference key: 0x563a208e68f0 @east cnt 1-- Sep 21 07:16:30.137859: | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Sep 21 07:16:30.137861: | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Sep 21 07:16:30.137863: | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Sep 21 07:16:30.137866: | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Sep 21 07:16:30.137868: | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Sep 21 07:16:30.137870: | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Sep 21 07:16:30.137872: | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Sep 21 07:16:30.137875: | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Sep 21 07:16:30.137877: | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Sep 21 07:16:30.137879: | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Sep 21 07:16:30.137881: | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Sep 21 07:16:30.137884: | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Sep 21 07:16:30.137886: | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Sep 21 07:16:30.137888: | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Sep 21 07:16:30.137890: | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Sep 21 07:16:30.137893: | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Sep 21 07:16:30.137895: | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Sep 21 07:16:30.137897: | add pubkey 51 51 48 ef Sep 21 07:16:30.137905: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:16:30.137908: | computed rsa CKAID 8a 82 25 f1 Sep 21 07:16:30.137911: | keyid: *AQO9bJbr3 Sep 21 07:16:30.137913: | n bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b e5 16 Sep 21 07:16:30.137916: | n c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 85 7a Sep 21 07:16:30.137918: | n e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c 78 ca Sep 21 07:16:30.137923: | n 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 21 c9 Sep 21 07:16:30.137925: | n f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d d2 67 Sep 21 07:16:30.137927: | n 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 62 cd Sep 21 07:16:30.137930: | n 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce 62 b5 Sep 21 07:16:30.137932: | n af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e bb 23 Sep 21 07:16:30.137934: | n 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d ac 47 Sep 21 07:16:30.137936: | n f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce e0 98 Sep 21 07:16:30.137939: | n 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a 92 b8 Sep 21 07:16:30.137941: | n 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 4d 58 Sep 21 07:16:30.137943: | n 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 5f 56 Sep 21 07:16:30.137945: | n 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 d5 f1 Sep 21 07:16:30.137947: | n 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c 47 cc Sep 21 07:16:30.137950: | n 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 07 8f Sep 21 07:16:30.137952: | n 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 51 51 Sep 21 07:16:30.137954: | n 48 ef Sep 21 07:16:30.137956: | e 03 Sep 21 07:16:30.137958: | CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:16:30.137960: | CKAID 8a 82 25 f1 Sep 21 07:16:30.137967: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.137971: | spent 0.13 milliseconds in whack Sep 21 07:16:30.137997: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.138006: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:16:30.138010: listening for IKE messages Sep 21 07:16:30.138042: | Inspecting interface lo Sep 21 07:16:30.138047: | found lo with address 127.0.0.1 Sep 21 07:16:30.138050: | Inspecting interface eth0 Sep 21 07:16:30.138054: | found eth0 with address 192.0.2.254 Sep 21 07:16:30.138056: | Inspecting interface eth0 Sep 21 07:16:30.138060: | found eth0 with address 192.0.22.251 Sep 21 07:16:30.138062: | Inspecting interface eth0 Sep 21 07:16:30.138065: | found eth0 with address 192.0.22.254 Sep 21 07:16:30.138068: | Inspecting interface eth0 Sep 21 07:16:30.138071: | found eth0 with address 192.0.2.251 Sep 21 07:16:30.138074: | Inspecting interface eth1 Sep 21 07:16:30.138077: | found eth1 with address 192.1.2.23 Sep 21 07:16:30.138181: | no interfaces to sort Sep 21 07:16:30.138191: | libevent_free: release ptr-libevent@0x563a2098c020 Sep 21 07:16:30.138195: | free_event_entry: release EVENT_NULL-pe@0x563a2098bfe0 Sep 21 07:16:30.138198: | add_fd_read_event_handler: new ethX-pe@0x563a2098bfe0 Sep 21 07:16:30.138202: | libevent_malloc: new ptr-libevent@0x563a2098c020 size 128 Sep 21 07:16:30.138209: | setup callback for interface lo 127.0.0.1:4500 fd 28 Sep 21 07:16:30.138213: | libevent_free: release ptr-libevent@0x563a2098c110 Sep 21 07:16:30.138215: | free_event_entry: release EVENT_NULL-pe@0x563a2098c0d0 Sep 21 07:16:30.138218: | add_fd_read_event_handler: new ethX-pe@0x563a2098c0d0 Sep 21 07:16:30.138221: | libevent_malloc: new ptr-libevent@0x563a2098c110 size 128 Sep 21 07:16:30.138226: | setup callback for interface lo 127.0.0.1:500 fd 27 Sep 21 07:16:30.138229: | libevent_free: release ptr-libevent@0x563a2098c200 Sep 21 07:16:30.138232: | free_event_entry: release EVENT_NULL-pe@0x563a2098c1c0 Sep 21 07:16:30.138234: | add_fd_read_event_handler: new ethX-pe@0x563a2098c1c0 Sep 21 07:16:30.138237: | libevent_malloc: new ptr-libevent@0x563a2098c200 size 128 Sep 21 07:16:30.138242: | setup callback for interface eth0 192.0.2.254:4500 fd 26 Sep 21 07:16:30.138246: | libevent_free: release ptr-libevent@0x563a2098c2f0 Sep 21 07:16:30.138249: | free_event_entry: release EVENT_NULL-pe@0x563a2098c2b0 Sep 21 07:16:30.138251: | add_fd_read_event_handler: new ethX-pe@0x563a2098c2b0 Sep 21 07:16:30.138254: | libevent_malloc: new ptr-libevent@0x563a2098c2f0 size 128 Sep 21 07:16:30.138259: | setup callback for interface eth0 192.0.2.254:500 fd 25 Sep 21 07:16:30.138265: | libevent_free: release ptr-libevent@0x563a2098ca60 Sep 21 07:16:30.138268: | free_event_entry: release EVENT_NULL-pe@0x563a2098c3a0 Sep 21 07:16:30.138271: | add_fd_read_event_handler: new ethX-pe@0x563a2098ddf0 Sep 21 07:16:30.138274: | libevent_malloc: new ptr-libevent@0x563a2098ca60 size 128 Sep 21 07:16:30.138279: | setup callback for interface eth0 192.0.22.251:4500 fd 24 Sep 21 07:16:30.138282: | libevent_free: release ptr-libevent@0x563a2098cb50 Sep 21 07:16:30.138285: | free_event_entry: release EVENT_NULL-pe@0x563a2098cb10 Sep 21 07:16:30.138287: | add_fd_read_event_handler: new ethX-pe@0x563a2098cb10 Sep 21 07:16:30.138290: | libevent_malloc: new ptr-libevent@0x563a2098cb50 size 128 Sep 21 07:16:30.138295: | setup callback for interface eth0 192.0.22.251:500 fd 23 Sep 21 07:16:30.138299: | libevent_free: release ptr-libevent@0x563a2098cc40 Sep 21 07:16:30.138302: | free_event_entry: release EVENT_NULL-pe@0x563a2098cc00 Sep 21 07:16:30.138305: | add_fd_read_event_handler: new ethX-pe@0x563a2098cc00 Sep 21 07:16:30.138307: | libevent_malloc: new ptr-libevent@0x563a2098cc40 size 128 Sep 21 07:16:30.138312: | setup callback for interface eth0 192.0.22.254:4500 fd 22 Sep 21 07:16:30.138316: | libevent_free: release ptr-libevent@0x563a2098cd30 Sep 21 07:16:30.138318: | free_event_entry: release EVENT_NULL-pe@0x563a2098ccf0 Sep 21 07:16:30.138321: | add_fd_read_event_handler: new ethX-pe@0x563a2098ccf0 Sep 21 07:16:30.138324: | libevent_malloc: new ptr-libevent@0x563a2098cd30 size 128 Sep 21 07:16:30.138328: | setup callback for interface eth0 192.0.22.254:500 fd 21 Sep 21 07:16:30.138332: | libevent_free: release ptr-libevent@0x563a2098ce20 Sep 21 07:16:30.138334: | free_event_entry: release EVENT_NULL-pe@0x563a2098cde0 Sep 21 07:16:30.138337: | add_fd_read_event_handler: new ethX-pe@0x563a2098cde0 Sep 21 07:16:30.138340: | libevent_malloc: new ptr-libevent@0x563a2098ce20 size 128 Sep 21 07:16:30.138345: | setup callback for interface eth0 192.0.2.251:4500 fd 20 Sep 21 07:16:30.138348: | libevent_free: release ptr-libevent@0x563a2098cf10 Sep 21 07:16:30.138351: | free_event_entry: release EVENT_NULL-pe@0x563a2098ced0 Sep 21 07:16:30.138354: | add_fd_read_event_handler: new ethX-pe@0x563a2098ced0 Sep 21 07:16:30.138356: | libevent_malloc: new ptr-libevent@0x563a2098cf10 size 128 Sep 21 07:16:30.138361: | setup callback for interface eth0 192.0.2.251:500 fd 19 Sep 21 07:16:30.138364: | libevent_free: release ptr-libevent@0x563a2098d000 Sep 21 07:16:30.138367: | free_event_entry: release EVENT_NULL-pe@0x563a2098cfc0 Sep 21 07:16:30.138370: | add_fd_read_event_handler: new ethX-pe@0x563a2098cfc0 Sep 21 07:16:30.138372: | libevent_malloc: new ptr-libevent@0x563a2098d000 size 128 Sep 21 07:16:30.138377: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:16:30.138381: | libevent_free: release ptr-libevent@0x563a2098d0f0 Sep 21 07:16:30.138383: | free_event_entry: release EVENT_NULL-pe@0x563a2098d0b0 Sep 21 07:16:30.138386: | add_fd_read_event_handler: new ethX-pe@0x563a2098d0b0 Sep 21 07:16:30.138388: | libevent_malloc: new ptr-libevent@0x563a2098d0f0 size 128 Sep 21 07:16:30.138393: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:16:30.138396: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:16:30.138399: forgetting secrets Sep 21 07:16:30.138407: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:16:30.138421: loading secrets from "/etc/ipsec.secrets" Sep 21 07:16:30.138436: | saving Modulus Sep 21 07:16:30.138440: | saving PublicExponent Sep 21 07:16:30.138443: | ignoring PrivateExponent Sep 21 07:16:30.138446: | ignoring Prime1 Sep 21 07:16:30.138449: | ignoring Prime2 Sep 21 07:16:30.138453: | ignoring Exponent1 Sep 21 07:16:30.138455: | ignoring Exponent2 Sep 21 07:16:30.138459: | ignoring Coefficient Sep 21 07:16:30.138462: | ignoring CKAIDNSS Sep 21 07:16:30.138473: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:16:30.138476: | computed rsa CKAID 8a 82 25 f1 Sep 21 07:16:30.138484: loaded private key for keyid: PKK_RSA:AQO9bJbr3 Sep 21 07:16:30.138491: | certs and keys locked by 'process_secret' Sep 21 07:16:30.138494: | certs and keys unlocked by 'process_secret' Sep 21 07:16:30.138499: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:16:30.138506: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.138512: | spent 0.481 milliseconds in whack Sep 21 07:16:30.138537: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.138546: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:16:30.138549: initiating all conns with alias='north-eastnets' Sep 21 07:16:30.138554: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:16:30.138559: | start processing: connection "north-eastnets/0x2" (in initiate_a_connection() at initiate.c:186) Sep 21 07:16:30.138562: | connection 'north-eastnets/0x2' +POLICY_UP Sep 21 07:16:30.138565: | dup_any(fd@-1) -> fd@-1 (in initiate_a_connection() at initiate.c:342) Sep 21 07:16:30.138567: | FOR_EACH_STATE_... in find_phase1_state Sep 21 07:16:30.138577: | creating state object #1 at 0x563a2098ea00 Sep 21 07:16:30.138581: | State DB: adding IKEv2 state #1 in UNDEFINED Sep 21 07:16:30.138588: | pstats #1 ikev2.ike started Sep 21 07:16:30.138591: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Sep 21 07:16:30.138594: | parent state #1: UNDEFINED(ignore) => PARENT_I0(ignore) Sep 21 07:16:30.138600: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:30.138607: | suspend processing: connection "north-eastnets/0x2" (in ikev2_parent_outI1() at ikev2_parent.c:535) Sep 21 07:16:30.138612: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_parent_outI1() at ikev2_parent.c:535) Sep 21 07:16:30.138615: | dup_any(fd@-1) -> fd@-1 (in ikev2_parent_outI1() at ikev2_parent.c:551) Sep 21 07:16:30.138620: | Queuing pending IPsec SA negotiating with 192.1.3.33 "north-eastnets/0x2" IKE SA #1 "north-eastnets/0x2" Sep 21 07:16:30.138623: "north-eastnets/0x2" #1: initiating v2 parent SA Sep 21 07:16:30.138632: | constructing local IKE proposals for north-eastnets/0x2 (IKE SA initiator selecting KE) Sep 21 07:16:30.138636: | converting ike_info AES_CBC_256-HMAC_SHA2_256-MODP2048 to ikev2 ... Sep 21 07:16:30.138642: | ... ikev2_proposal: 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:30.138647: "north-eastnets/0x2": constructed local IKE proposals for north-eastnets/0x2 (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:30.138656: | adding ikev2_outI1 KE work-order 1 for state #1 Sep 21 07:16:30.138660: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563a2098de70 Sep 21 07:16:30.138663: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:16:30.138666: | libevent_malloc: new ptr-libevent@0x563a2098deb0 size 128 Sep 21 07:16:30.138678: | #1 spent 0.118 milliseconds in ikev2_parent_outI1() Sep 21 07:16:30.138681: | processing: RESET whack log_fd (was fd@16) (in ikev2_parent_outI1() at ikev2_parent.c:610) Sep 21 07:16:30.138686: | RESET processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_parent_outI1() at ikev2_parent.c:610) Sep 21 07:16:30.138693: | RESET processing: connection "north-eastnets/0x2" (in ikev2_parent_outI1() at ikev2_parent.c:610) Sep 21 07:16:30.138685: | crypto helper 0 resuming Sep 21 07:16:30.138698: | processing: STOP connection NULL (in initiate_a_connection() at initiate.c:349) Sep 21 07:16:30.138710: | crypto helper 0 starting work-order 1 for state #1 Sep 21 07:16:30.138713: | start processing: connection "north-eastnets/0x1" (in initiate_a_connection() at initiate.c:186) Sep 21 07:16:30.138719: | crypto helper 0 doing build KE and nonce (ikev2_outI1 KE); request ID 1 Sep 21 07:16:30.138720: | connection 'north-eastnets/0x1' +POLICY_UP Sep 21 07:16:30.138733: | dup_any(fd@-1) -> fd@-1 (in initiate_a_connection() at initiate.c:342) Sep 21 07:16:30.138735: | FOR_EACH_STATE_... in find_phase1_state Sep 21 07:16:30.138740: | Queuing pending IPsec SA negotiating with 192.1.3.33 "north-eastnets/0x1" IKE SA #1 "north-eastnets/0x2" Sep 21 07:16:30.138746: | stop processing: connection "north-eastnets/0x1" (in initiate_a_connection() at initiate.c:349) Sep 21 07:16:30.138753: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.138758: | spent 0.21 milliseconds in whack Sep 21 07:16:30.139769: | crypto helper 0 finished build KE and nonce (ikev2_outI1 KE); request ID 1 time elapsed 0.001049 seconds Sep 21 07:16:30.139789: | (#1) spent 1.06 milliseconds in crypto helper computing work-order 1: ikev2_outI1 KE (pcr) Sep 21 07:16:30.139795: | crypto helper 0 sending results from work-order 1 for state #1 to event queue Sep 21 07:16:30.139799: | scheduling resume sending helper answer for #1 Sep 21 07:16:30.139803: | libevent_malloc: new ptr-libevent@0x7f7808006900 size 128 Sep 21 07:16:30.139812: | crypto helper 0 waiting (nothing to do) Sep 21 07:16:30.139882: | processing resume sending helper answer for #1 Sep 21 07:16:30.139894: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:16:30.139898: | crypto helper 0 replies to request ID 1 Sep 21 07:16:30.139901: | calling continuation function 0x563a1ff20630 Sep 21 07:16:30.139903: | ikev2_parent_outI1_continue for #1 Sep 21 07:16:30.139932: | **emit ISAKMP Message: Sep 21 07:16:30.139936: | initiator cookie: Sep 21 07:16:30.139939: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:30.139942: | responder cookie: Sep 21 07:16:30.139944: | 00 00 00 00 00 00 00 00 Sep 21 07:16:30.139947: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:30.139950: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:30.139953: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:16:30.139956: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:30.139958: | Message ID: 0 (0x0) Sep 21 07:16:30.139961: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:30.139969: | using existing local IKE proposals for connection north-eastnets/0x2 (IKE SA initiator emitting local proposals): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:30.139972: | Emitting ikev2_proposals ... Sep 21 07:16:30.139975: | ***emit IKEv2 Security Association Payload: Sep 21 07:16:30.139978: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:30.139981: | flags: none (0x0) Sep 21 07:16:30.139985: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:30.139988: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:30.139991: | ****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:30.139994: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:30.139996: | prop #: 1 (0x1) Sep 21 07:16:30.139999: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:30.140001: | spi size: 0 (0x0) Sep 21 07:16:30.140004: | # transforms: 4 (0x4) Sep 21 07:16:30.140007: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:30.140010: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:30.140013: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.140016: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:30.140018: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:30.140021: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:30.140024: | ******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:30.140030: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:30.140032: | length/value: 256 (0x100) Sep 21 07:16:30.140035: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:30.140038: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:30.140040: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.140042: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:30.140045: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:30.140048: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.140050: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:30.140053: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:30.140055: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:30.140058: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.140060: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:30.140063: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:30.140066: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.140069: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:30.140071: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:30.140073: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:30.140076: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:30.140078: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:30.140080: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:30.140083: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:30.140085: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:30.140088: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:30.140090: | emitting length of IKEv2 Proposal Substructure Payload: 44 Sep 21 07:16:30.140092: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:30.140095: | emitting length of IKEv2 Security Association Payload: 48 Sep 21 07:16:30.140098: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:30.140100: | ***emit IKEv2 Key Exchange Payload: Sep 21 07:16:30.140102: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:30.140105: | flags: none (0x0) Sep 21 07:16:30.140107: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:30.140110: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:16:30.140113: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:16:30.140116: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:16:30.140118: | ikev2 g^x 1b 54 4d 6f a8 d8 15 14 b4 92 26 83 98 88 55 38 Sep 21 07:16:30.140120: | ikev2 g^x 0a de 59 05 1c 30 e8 1e 9d a3 2b 78 21 3a 02 cb Sep 21 07:16:30.140122: | ikev2 g^x 0f f8 ba 80 c1 93 6c 3d bb 7b 4c b1 52 e2 80 d8 Sep 21 07:16:30.140125: | ikev2 g^x cf 34 65 bc 9d ee c6 6c 02 5c db 7a 76 ac ca 71 Sep 21 07:16:30.140127: | ikev2 g^x 9d f9 40 d0 11 8d b4 e4 2a 87 b9 f5 24 ec 02 f3 Sep 21 07:16:30.140129: | ikev2 g^x b9 d1 06 80 2d 06 63 05 39 2e 94 df 11 13 22 6f Sep 21 07:16:30.140131: | ikev2 g^x 86 fc af 71 c1 e5 2f 2e ef 35 96 6a 96 b0 7b 29 Sep 21 07:16:30.140135: | ikev2 g^x d0 93 dc 6e a6 c5 4f cd f9 87 58 a8 fe 02 a7 02 Sep 21 07:16:30.140137: | ikev2 g^x 69 93 39 a8 27 60 af f1 8e f5 d2 6c 17 64 71 2b Sep 21 07:16:30.140139: | ikev2 g^x 29 a5 c3 55 5a a1 3f 8f b7 47 7d d9 8a 85 f5 ef Sep 21 07:16:30.140142: | ikev2 g^x 50 24 0d 39 ae 14 98 2a c7 c5 08 2d 03 6a 01 d0 Sep 21 07:16:30.140144: | ikev2 g^x bc 94 35 b5 b3 60 4b 5d cc c4 08 e7 e4 b0 ed 27 Sep 21 07:16:30.140146: | ikev2 g^x 01 8d dd 35 6f c9 6a cf e2 ab 0d dc c6 e8 ad eb Sep 21 07:16:30.140148: | ikev2 g^x 8f f6 47 d2 9e 27 10 d1 29 b2 ff ce ef 88 e0 a0 Sep 21 07:16:30.140151: | ikev2 g^x 81 dd 16 cb 70 db 37 b8 91 a4 1a 06 64 e0 3d ca Sep 21 07:16:30.140153: | ikev2 g^x 40 1a 6f 6a 87 0d 89 38 51 89 8e 12 da ea 7c 1e Sep 21 07:16:30.140155: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:16:30.140157: | ***emit IKEv2 Nonce Payload: Sep 21 07:16:30.140160: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:30.140162: | flags: none (0x0) Sep 21 07:16:30.140165: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Sep 21 07:16:30.140168: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:16:30.140171: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:16:30.140173: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:16:30.140175: | IKEv2 nonce 19 d9 84 91 69 ce 64 18 a2 eb 2b 70 4e 38 52 e9 Sep 21 07:16:30.140178: | IKEv2 nonce 9c c9 d6 91 ee 9b 32 f6 de a9 50 7e ce cd 3d 24 Sep 21 07:16:30.140180: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:16:30.140182: | Adding a v2N Payload Sep 21 07:16:30.140185: | ***emit IKEv2 Notify Payload: Sep 21 07:16:30.140187: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:30.140189: | flags: none (0x0) Sep 21 07:16:30.140192: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:30.140194: | SPI size: 0 (0x0) Sep 21 07:16:30.140197: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:16:30.140200: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:30.140203: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:30.140205: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:16:30.140208: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:16:30.140211: | natd_hash: rcookie is zero Sep 21 07:16:30.140224: | natd_hash: hasher=0x563a1fff67a0(20) Sep 21 07:16:30.140227: | natd_hash: icookie= cc 16 75 8d 92 e6 25 81 Sep 21 07:16:30.140229: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:16:30.140231: | natd_hash: ip= c0 01 02 17 Sep 21 07:16:30.140234: | natd_hash: port= 01 f4 Sep 21 07:16:30.140236: | natd_hash: hash= 4b 9a 43 9c 55 f8 84 08 22 78 46 fe 29 b8 63 5e Sep 21 07:16:30.140238: | natd_hash: hash= e9 73 15 66 Sep 21 07:16:30.140240: | Adding a v2N Payload Sep 21 07:16:30.140242: | ***emit IKEv2 Notify Payload: Sep 21 07:16:30.140245: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:30.140247: | flags: none (0x0) Sep 21 07:16:30.140249: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:30.140252: | SPI size: 0 (0x0) Sep 21 07:16:30.140254: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:16:30.140257: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:30.140260: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:30.140262: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:16:30.140265: | Notify data 4b 9a 43 9c 55 f8 84 08 22 78 46 fe 29 b8 63 5e Sep 21 07:16:30.140267: | Notify data e9 73 15 66 Sep 21 07:16:30.140271: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:16:30.140273: | natd_hash: rcookie is zero Sep 21 07:16:30.140280: | natd_hash: hasher=0x563a1fff67a0(20) Sep 21 07:16:30.140283: | natd_hash: icookie= cc 16 75 8d 92 e6 25 81 Sep 21 07:16:30.140285: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:16:30.140287: | natd_hash: ip= c0 01 03 21 Sep 21 07:16:30.140289: | natd_hash: port= 01 f4 Sep 21 07:16:30.140292: | natd_hash: hash= cf a3 d9 cc 23 0d f5 f4 4e 65 38 55 ce 45 2d 4d Sep 21 07:16:30.140294: | natd_hash: hash= 11 dd e0 94 Sep 21 07:16:30.140297: | Adding a v2N Payload Sep 21 07:16:30.140299: | ***emit IKEv2 Notify Payload: Sep 21 07:16:30.140302: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:30.140305: | flags: none (0x0) Sep 21 07:16:30.140307: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:30.140309: | SPI size: 0 (0x0) Sep 21 07:16:30.140312: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:16:30.140315: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:30.140317: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:30.140320: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:16:30.140323: | Notify data cf a3 d9 cc 23 0d f5 f4 4e 65 38 55 ce 45 2d 4d Sep 21 07:16:30.140325: | Notify data 11 dd e0 94 Sep 21 07:16:30.140327: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:16:30.140329: | emitting length of ISAKMP Message: 440 Sep 21 07:16:30.140337: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_parent_outI1_common() at ikev2_parent.c:817) Sep 21 07:16:30.140347: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:30.140352: | #1 complete_v2_state_transition() PARENT_I0->PARENT_I1 with status STF_OK Sep 21 07:16:30.140356: | IKEv2: transition from state STATE_PARENT_I0 to state STATE_PARENT_I1 Sep 21 07:16:30.140359: | parent state #1: PARENT_I0(ignore) => PARENT_I1(half-open IKE SA) Sep 21 07:16:30.140362: | Message ID: updating counters for #1 to 4294967295 after switching state Sep 21 07:16:30.140365: | Message ID: IKE #1 skipping update_recv as MD is fake Sep 21 07:16:30.140370: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1->0 wip.responder=-1 Sep 21 07:16:30.140374: "north-eastnets/0x2" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 Sep 21 07:16:30.140379: | sending V2 reply packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:16:30.140388: | sending 440 bytes for STATE_PARENT_I0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:16:30.140391: | cc 16 75 8d 92 e6 25 81 00 00 00 00 00 00 00 00 Sep 21 07:16:30.140394: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:30.140396: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:30.140399: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:30.140401: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:30.140403: | 00 0e 00 00 1b 54 4d 6f a8 d8 15 14 b4 92 26 83 Sep 21 07:16:30.140405: | 98 88 55 38 0a de 59 05 1c 30 e8 1e 9d a3 2b 78 Sep 21 07:16:30.140408: | 21 3a 02 cb 0f f8 ba 80 c1 93 6c 3d bb 7b 4c b1 Sep 21 07:16:30.140410: | 52 e2 80 d8 cf 34 65 bc 9d ee c6 6c 02 5c db 7a Sep 21 07:16:30.140413: | 76 ac ca 71 9d f9 40 d0 11 8d b4 e4 2a 87 b9 f5 Sep 21 07:16:30.140416: | 24 ec 02 f3 b9 d1 06 80 2d 06 63 05 39 2e 94 df Sep 21 07:16:30.140418: | 11 13 22 6f 86 fc af 71 c1 e5 2f 2e ef 35 96 6a Sep 21 07:16:30.140420: | 96 b0 7b 29 d0 93 dc 6e a6 c5 4f cd f9 87 58 a8 Sep 21 07:16:30.140422: | fe 02 a7 02 69 93 39 a8 27 60 af f1 8e f5 d2 6c Sep 21 07:16:30.140424: | 17 64 71 2b 29 a5 c3 55 5a a1 3f 8f b7 47 7d d9 Sep 21 07:16:30.140428: | 8a 85 f5 ef 50 24 0d 39 ae 14 98 2a c7 c5 08 2d Sep 21 07:16:30.140431: | 03 6a 01 d0 bc 94 35 b5 b3 60 4b 5d cc c4 08 e7 Sep 21 07:16:30.140433: | e4 b0 ed 27 01 8d dd 35 6f c9 6a cf e2 ab 0d dc Sep 21 07:16:30.140435: | c6 e8 ad eb 8f f6 47 d2 9e 27 10 d1 29 b2 ff ce Sep 21 07:16:30.140438: | ef 88 e0 a0 81 dd 16 cb 70 db 37 b8 91 a4 1a 06 Sep 21 07:16:30.140440: | 64 e0 3d ca 40 1a 6f 6a 87 0d 89 38 51 89 8e 12 Sep 21 07:16:30.140443: | da ea 7c 1e 29 00 00 24 19 d9 84 91 69 ce 64 18 Sep 21 07:16:30.140445: | a2 eb 2b 70 4e 38 52 e9 9c c9 d6 91 ee 9b 32 f6 Sep 21 07:16:30.140447: | de a9 50 7e ce cd 3d 24 29 00 00 08 00 00 40 2e Sep 21 07:16:30.140450: | 29 00 00 1c 00 00 40 04 4b 9a 43 9c 55 f8 84 08 Sep 21 07:16:30.140452: | 22 78 46 fe 29 b8 63 5e e9 73 15 66 00 00 00 1c Sep 21 07:16:30.140454: | 00 00 40 05 cf a3 d9 cc 23 0d f5 f4 4e 65 38 55 Sep 21 07:16:30.140456: | ce 45 2d 4d 11 dd e0 94 Sep 21 07:16:30.140503: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:30.140508: | libevent_free: release ptr-libevent@0x563a2098deb0 Sep 21 07:16:30.140511: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563a2098de70 Sep 21 07:16:30.140514: | success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=500ms Sep 21 07:16:30.140518: | event_schedule: new EVENT_RETRANSMIT-pe@0x563a2098de70 Sep 21 07:16:30.140522: | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 Sep 21 07:16:30.140524: | libevent_malloc: new ptr-libevent@0x563a2098deb0 size 128 Sep 21 07:16:30.140529: | #1 STATE_PARENT_I1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 48836.508782 Sep 21 07:16:30.140533: | resume sending helper answer for #1 suppresed complete_v2_state_transition() and stole MD Sep 21 07:16:30.140539: | #1 spent 0.616 milliseconds in resume sending helper answer Sep 21 07:16:30.140544: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:16:30.140547: | libevent_free: release ptr-libevent@0x7f7808006900 Sep 21 07:16:30.140557: | processing signal PLUTO_SIGCHLD Sep 21 07:16:30.140571: | waitpid returned pid 11774 (exited with status 0) Sep 21 07:16:30.140574: | reaped addconn helper child (status 0) Sep 21 07:16:30.140578: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:30.140583: | spent 0.0215 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:30.169918: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:30.170083: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:16:30.170087: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:16:30.170198: | FOR_EACH_STATE_... in show_states_status (sort_states) Sep 21 07:16:30.170202: | FOR_EACH_STATE_... in sort_states Sep 21 07:16:30.170217: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:30.170223: | spent 0.304 milliseconds in whack Sep 21 07:16:30.641736: | timer_event_cb: processing event@0x563a2098de70 Sep 21 07:16:30.641748: | handling event EVENT_RETRANSMIT for parent state #1 Sep 21 07:16:30.641754: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in timer_event_cb() at timer.c:250) Sep 21 07:16:30.641757: | IKEv2 retransmit event Sep 21 07:16:30.641760: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in retransmit_v2_msg() at retry.c:144) Sep 21 07:16:30.641763: | handling event EVENT_RETRANSMIT for 192.1.3.33 "north-eastnets/0x2" #1 attempt 2 of 0 Sep 21 07:16:30.641766: | and parent for 192.1.3.33 "north-eastnets/0x2" #1 keying attempt 1 of 0; retransmit 1 Sep 21 07:16:30.641770: | retransmits: current time 48837.010033; retransmit count 0 exceeds limit? NO; deltatime 0.5 exceeds limit? NO; monotime 0.501251 exceeds limit? NO Sep 21 07:16:30.641773: | event_schedule: new EVENT_RETRANSMIT-pe@0x7f7808002b20 Sep 21 07:16:30.641779: | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 Sep 21 07:16:30.641781: | libevent_malloc: new ptr-libevent@0x7f7808006900 size 128 Sep 21 07:16:30.641788: "north-eastnets/0x2" #1: STATE_PARENT_I1: retransmission; will wait 0.5 seconds for response Sep 21 07:16:30.641796: | sending 440 bytes for EVENT_RETRANSMIT through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:16:30.641798: | cc 16 75 8d 92 e6 25 81 00 00 00 00 00 00 00 00 Sep 21 07:16:30.641800: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:30.641801: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:30.641802: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:30.641804: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:30.641805: | 00 0e 00 00 1b 54 4d 6f a8 d8 15 14 b4 92 26 83 Sep 21 07:16:30.641806: | 98 88 55 38 0a de 59 05 1c 30 e8 1e 9d a3 2b 78 Sep 21 07:16:30.641808: | 21 3a 02 cb 0f f8 ba 80 c1 93 6c 3d bb 7b 4c b1 Sep 21 07:16:30.641809: | 52 e2 80 d8 cf 34 65 bc 9d ee c6 6c 02 5c db 7a Sep 21 07:16:30.641810: | 76 ac ca 71 9d f9 40 d0 11 8d b4 e4 2a 87 b9 f5 Sep 21 07:16:30.641812: | 24 ec 02 f3 b9 d1 06 80 2d 06 63 05 39 2e 94 df Sep 21 07:16:30.641813: | 11 13 22 6f 86 fc af 71 c1 e5 2f 2e ef 35 96 6a Sep 21 07:16:30.641815: | 96 b0 7b 29 d0 93 dc 6e a6 c5 4f cd f9 87 58 a8 Sep 21 07:16:30.641816: | fe 02 a7 02 69 93 39 a8 27 60 af f1 8e f5 d2 6c Sep 21 07:16:30.641817: | 17 64 71 2b 29 a5 c3 55 5a a1 3f 8f b7 47 7d d9 Sep 21 07:16:30.641819: | 8a 85 f5 ef 50 24 0d 39 ae 14 98 2a c7 c5 08 2d Sep 21 07:16:30.641820: | 03 6a 01 d0 bc 94 35 b5 b3 60 4b 5d cc c4 08 e7 Sep 21 07:16:30.641821: | e4 b0 ed 27 01 8d dd 35 6f c9 6a cf e2 ab 0d dc Sep 21 07:16:30.641823: | c6 e8 ad eb 8f f6 47 d2 9e 27 10 d1 29 b2 ff ce Sep 21 07:16:30.641824: | ef 88 e0 a0 81 dd 16 cb 70 db 37 b8 91 a4 1a 06 Sep 21 07:16:30.641825: | 64 e0 3d ca 40 1a 6f 6a 87 0d 89 38 51 89 8e 12 Sep 21 07:16:30.641827: | da ea 7c 1e 29 00 00 24 19 d9 84 91 69 ce 64 18 Sep 21 07:16:30.641828: | a2 eb 2b 70 4e 38 52 e9 9c c9 d6 91 ee 9b 32 f6 Sep 21 07:16:30.641830: | de a9 50 7e ce cd 3d 24 29 00 00 08 00 00 40 2e Sep 21 07:16:30.641831: | 29 00 00 1c 00 00 40 04 4b 9a 43 9c 55 f8 84 08 Sep 21 07:16:30.641832: | 22 78 46 fe 29 b8 63 5e e9 73 15 66 00 00 00 1c Sep 21 07:16:30.641834: | 00 00 40 05 cf a3 d9 cc 23 0d f5 f4 4e 65 38 55 Sep 21 07:16:30.641835: | ce 45 2d 4d 11 dd e0 94 Sep 21 07:16:30.641871: | libevent_free: release ptr-libevent@0x563a2098deb0 Sep 21 07:16:30.641874: | free_event_entry: release EVENT_RETRANSMIT-pe@0x563a2098de70 Sep 21 07:16:30.641880: | #1 spent 0.123 milliseconds in timer_event_cb() EVENT_RETRANSMIT Sep 21 07:16:30.641883: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in timer_event_cb() at timer.c:557) Sep 21 07:16:31.068072: | spent 0.00314 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:31.068094: | *received 440 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:16:31.068098: | df a1 f0 f4 bf 5a d1 b5 00 00 00 00 00 00 00 00 Sep 21 07:16:31.068100: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:31.068103: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:31.068105: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:31.068107: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:31.068109: | 00 0e 00 00 bb c8 87 f1 7a 0a f2 9e a5 ad 1c 59 Sep 21 07:16:31.068111: | f6 85 f9 b6 b1 13 90 c9 41 73 f2 63 78 ea fa d6 Sep 21 07:16:31.068114: | f4 75 36 62 cc 5a 80 e5 e4 00 1f 12 59 cd 63 b9 Sep 21 07:16:31.068116: | d7 a5 5a 45 0e 57 17 41 fa d8 94 23 c1 46 85 cc Sep 21 07:16:31.068118: | f9 0d 33 f2 4b 65 b5 81 36 14 e6 2d 93 c4 0a cb Sep 21 07:16:31.068120: | a9 61 e6 fb c3 c6 46 8e fd 14 6e c3 c4 01 16 32 Sep 21 07:16:31.068125: | a1 f8 86 8b 40 f8 c8 d8 bd b9 69 94 0b 9c 33 05 Sep 21 07:16:31.068127: | e4 f0 40 37 6e 9f 36 22 11 b0 f1 46 9d 0c 46 31 Sep 21 07:16:31.068130: | 94 82 05 1a 4f 75 0c 79 62 b6 1f 80 d9 64 3b b1 Sep 21 07:16:31.068132: | 68 bd 7a d0 f2 97 e3 97 2e d7 5a 6f ba f6 2d fd Sep 21 07:16:31.068134: | 8f f1 51 bf 85 4e c5 62 96 fb ee 48 8b f1 e7 c0 Sep 21 07:16:31.068136: | c1 98 c7 9a a4 8b 08 ee 93 5c 88 52 75 f8 2a bb Sep 21 07:16:31.068139: | 61 fc 9b 39 52 b7 3c ed 99 62 80 29 3f 47 73 72 Sep 21 07:16:31.068141: | e4 7a 3f 43 1c af a3 56 e1 52 a8 b5 21 73 ee a0 Sep 21 07:16:31.068143: | 9b 8d 66 63 4b 34 60 9d 4e 83 31 74 d6 7f 0b 19 Sep 21 07:16:31.068145: | 04 3d ad 89 f7 d6 db fb eb f1 02 f5 21 92 53 a6 Sep 21 07:16:31.068147: | e8 5f f8 2e 29 00 00 24 34 21 18 f3 82 64 71 6c Sep 21 07:16:31.068150: | a7 52 32 08 b1 c8 53 fa 2a 69 90 cf 2c ce ed 12 Sep 21 07:16:31.068152: | 38 93 fe 6f f1 ce b9 3f 29 00 00 08 00 00 40 2e Sep 21 07:16:31.068154: | 29 00 00 1c 00 00 40 04 7e 14 1e 8c 25 8c ba 97 Sep 21 07:16:31.068156: | b5 11 ca ea f9 40 88 6d 23 8c a0 25 00 00 00 1c Sep 21 07:16:31.068159: | 00 00 40 05 44 69 b3 1f b6 fe e3 8d e3 28 91 5a Sep 21 07:16:31.068161: | 97 f1 be f3 19 73 f7 76 Sep 21 07:16:31.068166: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:16:31.068169: | **parse ISAKMP Message: Sep 21 07:16:31.068172: | initiator cookie: Sep 21 07:16:31.068174: | df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.068176: | responder cookie: Sep 21 07:16:31.068178: | 00 00 00 00 00 00 00 00 Sep 21 07:16:31.068185: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:31.068188: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.068190: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:16:31.068193: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:31.068195: | Message ID: 0 (0x0) Sep 21 07:16:31.068198: | length: 440 (0x1b8) Sep 21 07:16:31.068201: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Sep 21 07:16:31.068204: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Sep 21 07:16:31.068207: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Sep 21 07:16:31.068210: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:16:31.068213: | ***parse IKEv2 Security Association Payload: Sep 21 07:16:31.068216: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:16:31.068218: | flags: none (0x0) Sep 21 07:16:31.068220: | length: 48 (0x30) Sep 21 07:16:31.068223: | processing payload: ISAKMP_NEXT_v2SA (len=44) Sep 21 07:16:31.068225: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:16:31.068228: | ***parse IKEv2 Key Exchange Payload: Sep 21 07:16:31.068231: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:16:31.068233: | flags: none (0x0) Sep 21 07:16:31.068235: | length: 264 (0x108) Sep 21 07:16:31.068238: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:31.068240: | processing payload: ISAKMP_NEXT_v2KE (len=256) Sep 21 07:16:31.068243: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:16:31.068245: | ***parse IKEv2 Nonce Payload: Sep 21 07:16:31.068248: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:31.068250: | flags: none (0x0) Sep 21 07:16:31.068252: | length: 36 (0x24) Sep 21 07:16:31.068255: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:16:31.068257: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:31.068259: | ***parse IKEv2 Notify Payload: Sep 21 07:16:31.068262: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:31.068264: | flags: none (0x0) Sep 21 07:16:31.068266: | length: 8 (0x8) Sep 21 07:16:31.068269: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.068271: | SPI size: 0 (0x0) Sep 21 07:16:31.068274: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:16:31.068277: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:16:31.068281: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:31.068283: | ***parse IKEv2 Notify Payload: Sep 21 07:16:31.068285: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:31.068288: | flags: none (0x0) Sep 21 07:16:31.068290: | length: 28 (0x1c) Sep 21 07:16:31.068292: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.068295: | SPI size: 0 (0x0) Sep 21 07:16:31.068297: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:16:31.068300: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:16:31.068302: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:31.068304: | ***parse IKEv2 Notify Payload: Sep 21 07:16:31.068307: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.068309: | flags: none (0x0) Sep 21 07:16:31.068311: | length: 28 (0x1c) Sep 21 07:16:31.068314: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.068316: | SPI size: 0 (0x0) Sep 21 07:16:31.068318: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:16:31.068321: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:16:31.068323: | DDOS disabled and no cookie sent, continuing Sep 21 07:16:31.068329: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:16:31.068335: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:16:31.068338: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:16:31.068342: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-eastnets/0x2) Sep 21 07:16:31.068345: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-eastnets/0x1) Sep 21 07:16:31.068347: | find_next_host_connection returns empty Sep 21 07:16:31.068351: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:16:31.068354: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:16:31.068356: | find_next_host_connection returns empty Sep 21 07:16:31.068360: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Sep 21 07:16:31.068365: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:16:31.068370: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:16:31.068372: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:16:31.068375: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-eastnets/0x2) Sep 21 07:16:31.068378: | find_next_host_connection returns north-eastnets/0x2 Sep 21 07:16:31.068380: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:16:31.068383: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-eastnets/0x1) Sep 21 07:16:31.068386: | find_next_host_connection returns north-eastnets/0x1 Sep 21 07:16:31.068388: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:16:31.068390: | find_next_host_connection returns empty Sep 21 07:16:31.068393: | found connection: north-eastnets/0x2 with policy RSASIG+IKEV2_ALLOW Sep 21 07:16:31.068409: | creating state object #2 at 0x563a20991ac0 Sep 21 07:16:31.068412: | State DB: adding IKEv2 state #2 in UNDEFINED Sep 21 07:16:31.068419: | pstats #2 ikev2.ike started Sep 21 07:16:31.068423: | Message ID: init #2: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Sep 21 07:16:31.068426: | parent state #2: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Sep 21 07:16:31.068432: | Message ID: init_ike #2; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:31.068440: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:31.068445: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:16:31.068449: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:16:31.068452: | #2 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Sep 21 07:16:31.068456: | Message ID: #2 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Sep 21 07:16:31.068461: | Message ID: start-responder #2 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Sep 21 07:16:31.068464: | #2 in state PARENT_R0: processing SA_INIT request Sep 21 07:16:31.068466: | selected state microcode Respond to IKE_SA_INIT Sep 21 07:16:31.068469: | Now let's proceed with state specific processing Sep 21 07:16:31.068471: | calling processor Respond to IKE_SA_INIT Sep 21 07:16:31.068477: | #2 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:16:31.068484: | using existing local IKE proposals for connection north-eastnets/0x2 (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:31.068487: | Comparing remote proposals against IKE responder 1 local proposals Sep 21 07:16:31.068490: | local proposal 1 type ENCR has 1 transforms Sep 21 07:16:31.068492: | local proposal 1 type PRF has 1 transforms Sep 21 07:16:31.068495: | local proposal 1 type INTEG has 1 transforms Sep 21 07:16:31.068497: | local proposal 1 type DH has 1 transforms Sep 21 07:16:31.068500: | local proposal 1 type ESN has 0 transforms Sep 21 07:16:31.068503: | local proposal 1 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:16:31.068506: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.068509: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.068511: | length: 44 (0x2c) Sep 21 07:16:31.068513: | prop #: 1 (0x1) Sep 21 07:16:31.068516: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:31.068518: | spi size: 0 (0x0) Sep 21 07:16:31.068520: | # transforms: 4 (0x4) Sep 21 07:16:31.068524: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Sep 21 07:16:31.068527: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.068529: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.068531: | length: 12 (0xc) Sep 21 07:16:31.068534: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.068536: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.068539: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.068542: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.068544: | length/value: 256 (0x100) Sep 21 07:16:31.068548: | remote proposal 1 transform 0 (ENCR=AES_CBC_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:16:31.068551: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.068553: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.068555: | length: 8 (0x8) Sep 21 07:16:31.068558: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:31.068560: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:31.068564: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_256) matches local proposal 1 type 2 (PRF) transform 0 Sep 21 07:16:31.068566: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.068569: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.068571: | length: 8 (0x8) Sep 21 07:16:31.068573: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.068575: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:31.068579: | remote proposal 1 transform 2 (INTEG=HMAC_SHA2_256_128) matches local proposal 1 type 3 (INTEG) transform 0 Sep 21 07:16:31.068581: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.068584: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.068587: | length: 8 (0x8) Sep 21 07:16:31.068590: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:31.068592: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:31.068595: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:16:31.068599: | remote proposal 1 proposed transforms: ENCR+PRF+INTEG+DH; matched: ENCR+PRF+INTEG+DH; unmatched: none Sep 21 07:16:31.068604: | comparing remote proposal 1 containing ENCR+PRF+INTEG+DH transforms to local proposal 1; required: ENCR+PRF+INTEG+DH; optional: none; matched: ENCR+PRF+INTEG+DH Sep 21 07:16:31.068606: | remote proposal 1 matches local proposal 1 Sep 21 07:16:31.068611: "north-eastnets/0x2" #2: proposal 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] Sep 21 07:16:31.068616: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:31.068618: | converting proposal to internal trans attrs Sep 21 07:16:31.068622: | natd_hash: rcookie is zero Sep 21 07:16:31.068631: | natd_hash: hasher=0x563a1fff67a0(20) Sep 21 07:16:31.068634: | natd_hash: icookie= df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.068636: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:16:31.068638: | natd_hash: ip= c0 01 02 17 Sep 21 07:16:31.068641: | natd_hash: port= 01 f4 Sep 21 07:16:31.068643: | natd_hash: hash= 44 69 b3 1f b6 fe e3 8d e3 28 91 5a 97 f1 be f3 Sep 21 07:16:31.068645: | natd_hash: hash= 19 73 f7 76 Sep 21 07:16:31.068648: | natd_hash: rcookie is zero Sep 21 07:16:31.068653: | natd_hash: hasher=0x563a1fff67a0(20) Sep 21 07:16:31.068655: | natd_hash: icookie= df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.068658: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:16:31.068660: | natd_hash: ip= c0 01 03 21 Sep 21 07:16:31.068662: | natd_hash: port= 01 f4 Sep 21 07:16:31.068664: | natd_hash: hash= 7e 14 1e 8c 25 8c ba 97 b5 11 ca ea f9 40 88 6d Sep 21 07:16:31.068666: | natd_hash: hash= 23 8c a0 25 Sep 21 07:16:31.068669: | NAT_TRAVERSAL encaps using auto-detect Sep 21 07:16:31.068671: | NAT_TRAVERSAL this end is NOT behind NAT Sep 21 07:16:31.068673: | NAT_TRAVERSAL that end is NOT behind NAT Sep 21 07:16:31.068676: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Sep 21 07:16:31.068682: | adding ikev2_inI1outR1 KE work-order 2 for state #2 Sep 21 07:16:31.068686: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563a2098de70 Sep 21 07:16:31.068689: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 Sep 21 07:16:31.068692: | libevent_malloc: new ptr-libevent@0x563a2098deb0 size 128 Sep 21 07:16:31.068702: | #2 spent 0.226 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Sep 21 07:16:31.068707: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.068707: | crypto helper 2 resuming Sep 21 07:16:31.068714: | #2 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Sep 21 07:16:31.068724: | crypto helper 2 starting work-order 2 for state #2 Sep 21 07:16:31.068729: | suspending state #2 and saving MD Sep 21 07:16:31.068734: | crypto helper 2 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 2 Sep 21 07:16:31.068736: | #2 is busy; has a suspended MD Sep 21 07:16:31.068745: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:31.068748: | "north-eastnets/0x2" #2 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:31.068753: | stop processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:31.068757: | #2 spent 0.664 milliseconds in ikev2_process_packet() Sep 21 07:16:31.068764: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:16:31.068767: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:31.068770: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:31.068774: | spent 0.68 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:31.069722: | crypto helper 2 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 2 time elapsed 0.000988 seconds Sep 21 07:16:31.069734: | (#2) spent 0.993 milliseconds in crypto helper computing work-order 2: ikev2_inI1outR1 KE (pcr) Sep 21 07:16:31.069737: | crypto helper 2 sending results from work-order 2 for state #2 to event queue Sep 21 07:16:31.069740: | scheduling resume sending helper answer for #2 Sep 21 07:16:31.069743: | libevent_malloc: new ptr-libevent@0x7f7800006900 size 128 Sep 21 07:16:31.069750: | crypto helper 2 waiting (nothing to do) Sep 21 07:16:31.069757: | processing resume sending helper answer for #2 Sep 21 07:16:31.069767: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:16:31.069771: | crypto helper 2 replies to request ID 2 Sep 21 07:16:31.069774: | calling continuation function 0x563a1ff20630 Sep 21 07:16:31.069777: | ikev2_parent_inI1outR1_continue for #2: calculated ke+nonce, sending R1 Sep 21 07:16:31.069782: | **emit ISAKMP Message: Sep 21 07:16:31.069791: | initiator cookie: Sep 21 07:16:31.069793: | df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.069796: | responder cookie: Sep 21 07:16:31.069798: | 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.069801: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:31.069804: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.069807: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:16:31.069809: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:31.069812: | Message ID: 0 (0x0) Sep 21 07:16:31.069815: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:31.069818: | Emitting ikev2_proposal ... Sep 21 07:16:31.069820: | ***emit IKEv2 Security Association Payload: Sep 21 07:16:31.069823: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.069825: | flags: none (0x0) Sep 21 07:16:31.069829: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:31.069832: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.069835: | ****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.069837: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.069840: | prop #: 1 (0x1) Sep 21 07:16:31.069842: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:31.069844: | spi size: 0 (0x0) Sep 21 07:16:31.069847: | # transforms: 4 (0x4) Sep 21 07:16:31.069849: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:31.069852: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.069854: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.069857: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.069859: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.069862: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.069865: | ******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.069867: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.069869: | length/value: 256 (0x100) Sep 21 07:16:31.069872: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:31.069874: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.069877: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.069879: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:31.069884: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:31.069887: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.069890: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.069892: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.069895: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.069897: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.069899: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.069902: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:31.069905: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.069908: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.069910: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.069912: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.069915: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.069917: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:31.069920: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:31.069923: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.069925: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.069928: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.069930: | emitting length of IKEv2 Proposal Substructure Payload: 44 Sep 21 07:16:31.069933: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:31.069935: | emitting length of IKEv2 Security Association Payload: 48 Sep 21 07:16:31.069938: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:31.069941: | ***emit IKEv2 Key Exchange Payload: Sep 21 07:16:31.069944: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.069946: | flags: none (0x0) Sep 21 07:16:31.069949: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:31.069952: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:16:31.069955: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.069958: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:16:31.069961: | ikev2 g^x 12 ac 36 9c 12 46 bd 47 34 8f 0e 1a 57 b8 81 2a Sep 21 07:16:31.069963: | ikev2 g^x 89 0d f3 a5 bd 87 88 4f 8f e0 4a ac 4d 45 3f a4 Sep 21 07:16:31.069966: | ikev2 g^x b6 4f 56 80 25 a1 d6 f4 b0 23 80 80 cf e3 dd c3 Sep 21 07:16:31.069968: | ikev2 g^x 78 69 2d d0 e6 9a fc 11 c7 a8 20 5e e0 22 cb 33 Sep 21 07:16:31.069971: | ikev2 g^x ab 4f 7f 7c a1 f7 1d 59 91 eb 0d 78 2f 42 63 ae Sep 21 07:16:31.069973: | ikev2 g^x d6 58 8f 37 8f 07 e2 3a e7 04 95 a6 0b 3f 69 03 Sep 21 07:16:31.069976: | ikev2 g^x 23 09 a3 b9 51 7b 2f 42 92 ba cd 39 c4 e4 bc bd Sep 21 07:16:31.069978: | ikev2 g^x aa c5 09 3d 3a a1 dc 5a 8a ac e8 63 ba 2c f9 2f Sep 21 07:16:31.069980: | ikev2 g^x 52 30 76 04 61 70 2f 47 ba 33 59 1a 2f 3c d8 f2 Sep 21 07:16:31.069983: | ikev2 g^x db 89 06 0a e9 f3 59 ac fb 17 58 18 f8 61 51 de Sep 21 07:16:31.069985: | ikev2 g^x 20 92 c5 a5 2b 46 6f 5b 35 72 c3 72 6b 77 ac 87 Sep 21 07:16:31.069987: | ikev2 g^x dc 2c 27 55 89 62 7e e6 ed 2d cf 3e 35 cd e2 c5 Sep 21 07:16:31.069991: | ikev2 g^x 65 0f 81 c7 a5 32 b0 16 4c cd 22 e8 4d fe d3 fe Sep 21 07:16:31.069993: | ikev2 g^x bd 7b ea 0a 2b f3 36 c1 78 2e d4 97 3a 59 37 05 Sep 21 07:16:31.069996: | ikev2 g^x 22 50 91 24 75 ab aa 99 00 47 6c f0 8d 58 d9 60 Sep 21 07:16:31.069998: | ikev2 g^x c6 2e 06 0a 09 33 38 cf 07 8c 3e e3 6b 07 a9 1b Sep 21 07:16:31.070001: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:16:31.070003: | ***emit IKEv2 Nonce Payload: Sep 21 07:16:31.070006: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:31.070008: | flags: none (0x0) Sep 21 07:16:31.070011: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Sep 21 07:16:31.070014: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:16:31.070017: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.070020: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:16:31.070022: | IKEv2 nonce be e6 7d e9 48 d2 bd b9 7c 37 2b d1 43 29 92 3f Sep 21 07:16:31.070025: | IKEv2 nonce bc 10 f4 a6 5d 09 01 ad 5f 31 a8 9f e4 39 82 74 Sep 21 07:16:31.070027: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:16:31.070030: | Adding a v2N Payload Sep 21 07:16:31.070033: | ***emit IKEv2 Notify Payload: Sep 21 07:16:31.070035: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.070038: | flags: none (0x0) Sep 21 07:16:31.070040: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.070043: | SPI size: 0 (0x0) Sep 21 07:16:31.070046: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:16:31.070049: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:31.070051: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.070054: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:16:31.070057: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:16:31.070066: | natd_hash: hasher=0x563a1fff67a0(20) Sep 21 07:16:31.070069: | natd_hash: icookie= df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.070072: | natd_hash: rcookie= 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.070074: | natd_hash: ip= c0 01 02 17 Sep 21 07:16:31.070076: | natd_hash: port= 01 f4 Sep 21 07:16:31.070079: | natd_hash: hash= d0 49 b5 5a 43 0b 85 8b 2e 1a a0 db 57 9b 32 d8 Sep 21 07:16:31.070081: | natd_hash: hash= ff f3 75 bb Sep 21 07:16:31.070083: | Adding a v2N Payload Sep 21 07:16:31.070086: | ***emit IKEv2 Notify Payload: Sep 21 07:16:31.070088: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.070098: | flags: none (0x0) Sep 21 07:16:31.070101: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.070103: | SPI size: 0 (0x0) Sep 21 07:16:31.070106: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:16:31.070109: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:31.070112: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.070115: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:16:31.070117: | Notify data d0 49 b5 5a 43 0b 85 8b 2e 1a a0 db 57 9b 32 d8 Sep 21 07:16:31.070119: | Notify data ff f3 75 bb Sep 21 07:16:31.070124: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:16:31.070130: | natd_hash: hasher=0x563a1fff67a0(20) Sep 21 07:16:31.070132: | natd_hash: icookie= df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.070135: | natd_hash: rcookie= 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.070137: | natd_hash: ip= c0 01 03 21 Sep 21 07:16:31.070139: | natd_hash: port= 01 f4 Sep 21 07:16:31.070141: | natd_hash: hash= fd 6c bc 23 b8 cc 38 42 87 d5 90 ff c2 03 81 a1 Sep 21 07:16:31.070145: | natd_hash: hash= cd 80 b7 be Sep 21 07:16:31.070147: | Adding a v2N Payload Sep 21 07:16:31.070150: | ***emit IKEv2 Notify Payload: Sep 21 07:16:31.070152: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.070155: | flags: none (0x0) Sep 21 07:16:31.070157: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.070159: | SPI size: 0 (0x0) Sep 21 07:16:31.070162: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:16:31.070165: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:16:31.070168: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.070171: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:16:31.070173: | Notify data fd 6c bc 23 b8 cc 38 42 87 d5 90 ff c2 03 81 a1 Sep 21 07:16:31.070175: | Notify data cd 80 b7 be Sep 21 07:16:31.070178: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:16:31.070180: | emitting length of ISAKMP Message: 440 Sep 21 07:16:31.070187: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.070190: | #2 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Sep 21 07:16:31.070193: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Sep 21 07:16:31.070197: | parent state #2: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Sep 21 07:16:31.070199: | Message ID: updating counters for #2 to 0 after switching state Sep 21 07:16:31.070204: | Message ID: recv #2 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Sep 21 07:16:31.070209: | Message ID: sent #2 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:31.070213: "north-eastnets/0x2" #2: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} Sep 21 07:16:31.070218: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:16:31.070224: | sending 440 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #2) Sep 21 07:16:31.070227: | df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.070229: | 21 20 22 20 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:31.070231: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:31.070234: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:31.070236: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:31.070238: | 00 0e 00 00 12 ac 36 9c 12 46 bd 47 34 8f 0e 1a Sep 21 07:16:31.070241: | 57 b8 81 2a 89 0d f3 a5 bd 87 88 4f 8f e0 4a ac Sep 21 07:16:31.070243: | 4d 45 3f a4 b6 4f 56 80 25 a1 d6 f4 b0 23 80 80 Sep 21 07:16:31.070245: | cf e3 dd c3 78 69 2d d0 e6 9a fc 11 c7 a8 20 5e Sep 21 07:16:31.070248: | e0 22 cb 33 ab 4f 7f 7c a1 f7 1d 59 91 eb 0d 78 Sep 21 07:16:31.070250: | 2f 42 63 ae d6 58 8f 37 8f 07 e2 3a e7 04 95 a6 Sep 21 07:16:31.070252: | 0b 3f 69 03 23 09 a3 b9 51 7b 2f 42 92 ba cd 39 Sep 21 07:16:31.070255: | c4 e4 bc bd aa c5 09 3d 3a a1 dc 5a 8a ac e8 63 Sep 21 07:16:31.070257: | ba 2c f9 2f 52 30 76 04 61 70 2f 47 ba 33 59 1a Sep 21 07:16:31.070259: | 2f 3c d8 f2 db 89 06 0a e9 f3 59 ac fb 17 58 18 Sep 21 07:16:31.070262: | f8 61 51 de 20 92 c5 a5 2b 46 6f 5b 35 72 c3 72 Sep 21 07:16:31.070264: | 6b 77 ac 87 dc 2c 27 55 89 62 7e e6 ed 2d cf 3e Sep 21 07:16:31.070266: | 35 cd e2 c5 65 0f 81 c7 a5 32 b0 16 4c cd 22 e8 Sep 21 07:16:31.070269: | 4d fe d3 fe bd 7b ea 0a 2b f3 36 c1 78 2e d4 97 Sep 21 07:16:31.070271: | 3a 59 37 05 22 50 91 24 75 ab aa 99 00 47 6c f0 Sep 21 07:16:31.070273: | 8d 58 d9 60 c6 2e 06 0a 09 33 38 cf 07 8c 3e e3 Sep 21 07:16:31.070277: | 6b 07 a9 1b 29 00 00 24 be e6 7d e9 48 d2 bd b9 Sep 21 07:16:31.070279: | 7c 37 2b d1 43 29 92 3f bc 10 f4 a6 5d 09 01 ad Sep 21 07:16:31.070282: | 5f 31 a8 9f e4 39 82 74 29 00 00 08 00 00 40 2e Sep 21 07:16:31.070284: | 29 00 00 1c 00 00 40 04 d0 49 b5 5a 43 0b 85 8b Sep 21 07:16:31.070287: | 2e 1a a0 db 57 9b 32 d8 ff f3 75 bb 00 00 00 1c Sep 21 07:16:31.070289: | 00 00 40 05 fd 6c bc 23 b8 cc 38 42 87 d5 90 ff Sep 21 07:16:31.070291: | c2 03 81 a1 cd 80 b7 be Sep 21 07:16:31.070328: | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:31.070333: | libevent_free: release ptr-libevent@0x563a2098deb0 Sep 21 07:16:31.070336: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563a2098de70 Sep 21 07:16:31.070339: | event_schedule: new EVENT_SO_DISCARD-pe@0x563a2098de70 Sep 21 07:16:31.070342: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #2 Sep 21 07:16:31.070345: | libevent_malloc: new ptr-libevent@0x563a2098deb0 size 128 Sep 21 07:16:31.070349: | resume sending helper answer for #2 suppresed complete_v2_state_transition() Sep 21 07:16:31.070354: | #2 spent 0.55 milliseconds in resume sending helper answer Sep 21 07:16:31.070359: | stop processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:16:31.070362: | libevent_free: release ptr-libevent@0x7f7800006900 Sep 21 07:16:31.078437: | spent 0.00239 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:31.078458: | *received 464 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:16:31.078461: | df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.078464: | 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Sep 21 07:16:31.078466: | e6 62 17 a7 e9 35 72 42 59 3e 76 b5 44 b5 1f a4 Sep 21 07:16:31.078468: | 42 36 20 b6 e7 56 2f c4 07 c3 ae d7 22 94 00 97 Sep 21 07:16:31.078471: | cd c3 6c ed e0 6c 9e 98 1b 27 1f 80 ab ec 98 82 Sep 21 07:16:31.078473: | 18 da 2f 5b d5 7d 50 0f a4 9f aa f3 ff ff 41 d5 Sep 21 07:16:31.078475: | 98 e5 bd 27 63 00 2e c1 3b 89 d4 ee e5 d4 03 d2 Sep 21 07:16:31.078477: | 28 d4 ea 5c bf fe 57 cc 40 57 a9 fb fd 3d 58 0b Sep 21 07:16:31.078480: | 0b e9 cb 98 83 50 7c 75 f5 9b 7d 41 b5 6c d8 b7 Sep 21 07:16:31.078482: | a5 c0 cc 66 43 d6 6f 71 b8 d1 ce f6 88 39 e6 ef Sep 21 07:16:31.078484: | 78 de 09 3f 78 dd 40 1e 43 c1 0a 17 e4 1b 09 10 Sep 21 07:16:31.078487: | 61 7c 60 bb 31 25 a0 34 7b a8 09 1e 09 7e 5f c8 Sep 21 07:16:31.078489: | 60 75 28 25 13 8f 62 50 48 e1 4e 63 20 19 2b 9c Sep 21 07:16:31.078491: | e4 cb 0f 7f 6a d5 44 ad 07 66 1e 71 a3 87 90 68 Sep 21 07:16:31.078493: | d4 f8 ff 5a 01 d0 3c 7b f6 bb 7d cc cd f6 a7 8e Sep 21 07:16:31.078496: | a0 91 63 78 dd ff d9 86 af 7c 14 e5 ae 28 08 bb Sep 21 07:16:31.078498: | 5b 22 2d 12 bf c7 96 3d c9 3f de e8 86 93 f2 51 Sep 21 07:16:31.078500: | 85 ea b3 b1 1e c3 fa 0c c0 cb 1f d1 10 b2 ee c9 Sep 21 07:16:31.078503: | b3 e1 e9 8b 7c b8 cd fe c1 7d 72 13 f2 ab 47 77 Sep 21 07:16:31.078505: | 86 86 b4 3f 58 13 85 52 2a 17 1d b3 50 10 39 db Sep 21 07:16:31.078507: | 86 d8 08 56 46 78 14 b3 ac 7c 66 83 bc e2 89 ec Sep 21 07:16:31.078510: | 45 6c 02 d3 02 f9 eb 62 46 7d 27 b2 e4 39 f5 a4 Sep 21 07:16:31.078512: | 40 95 5a 1b dc b1 31 85 8b 6c 4c 1f 42 6d ae e4 Sep 21 07:16:31.078514: | 87 5b 38 92 f7 60 2f b4 96 1c d2 52 9a 29 fd f1 Sep 21 07:16:31.078516: | e5 22 59 43 51 9f 06 df 18 12 cb 6c a9 9e 11 40 Sep 21 07:16:31.078518: | 44 b2 cb a3 12 2a da b5 45 d8 dd 50 26 70 49 0e Sep 21 07:16:31.078521: | a6 60 ea f9 5e 03 b1 14 20 ee 30 ef fb c8 6c aa Sep 21 07:16:31.078523: | d7 8d d3 88 b5 f5 cb ec 42 0a 9f 7f ec a1 1b e7 Sep 21 07:16:31.078525: | 1b 47 a9 88 d9 e5 94 1f 45 27 0e e3 53 4c 01 ad Sep 21 07:16:31.078530: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:16:31.078534: | **parse ISAKMP Message: Sep 21 07:16:31.078539: | initiator cookie: Sep 21 07:16:31.078541: | df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.078543: | responder cookie: Sep 21 07:16:31.078546: | 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.078548: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:16:31.078551: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.078554: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:16:31.078560: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:31.078562: | Message ID: 1 (0x1) Sep 21 07:16:31.078565: | length: 464 (0x1d0) Sep 21 07:16:31.078568: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:16:31.078571: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Sep 21 07:16:31.078575: | State DB: found IKEv2 state #2 in PARENT_R1 (find_v2_ike_sa) Sep 21 07:16:31.078581: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:31.078584: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:16:31.078589: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:16:31.078592: | #2 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:16:31.078596: | Message ID: #2 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Sep 21 07:16:31.078598: | unpacking clear payload Sep 21 07:16:31.078601: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:16:31.078604: | ***parse IKEv2 Encryption Payload: Sep 21 07:16:31.078606: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Sep 21 07:16:31.078608: | flags: none (0x0) Sep 21 07:16:31.078611: | length: 436 (0x1b4) Sep 21 07:16:31.078613: | processing payload: ISAKMP_NEXT_v2SK (len=432) Sep 21 07:16:31.078618: | Message ID: start-responder #2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Sep 21 07:16:31.078621: | #2 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:16:31.078624: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:16:31.078627: | Now let's proceed with state specific processing Sep 21 07:16:31.078629: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:16:31.078632: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Sep 21 07:16:31.078636: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_256 integ=HMAC_SHA2_256_128 cipherkey=AES_CBC Sep 21 07:16:31.078640: | adding ikev2_inI2outR2 KE work-order 3 for state #2 Sep 21 07:16:31.078643: | state #2 requesting EVENT_SO_DISCARD to be deleted Sep 21 07:16:31.078646: | libevent_free: release ptr-libevent@0x563a2098deb0 Sep 21 07:16:31.078649: | free_event_entry: release EVENT_SO_DISCARD-pe@0x563a2098de70 Sep 21 07:16:31.078652: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563a2098de70 Sep 21 07:16:31.078655: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 Sep 21 07:16:31.078658: | libevent_malloc: new ptr-libevent@0x563a2098deb0 size 128 Sep 21 07:16:31.078668: | #2 spent 0.034 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Sep 21 07:16:31.078673: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.078676: | #2 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Sep 21 07:16:31.078681: | suspending state #2 and saving MD Sep 21 07:16:31.078676: | crypto helper 3 resuming Sep 21 07:16:31.078685: | #2 is busy; has a suspended MD Sep 21 07:16:31.078693: | crypto helper 3 starting work-order 3 for state #2 Sep 21 07:16:31.078699: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:31.078701: | crypto helper 3 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 3 Sep 21 07:16:31.078703: | "north-eastnets/0x2" #2 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:31.078712: | stop processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:31.078717: | #2 spent 0.259 milliseconds in ikev2_process_packet() Sep 21 07:16:31.078721: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:16:31.078723: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:31.078726: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:31.078730: | spent 0.272 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:31.079246: | calculating skeyseed using prf=sha2_256 integ=sha2_256 cipherkey-size=32 salt-size=0 Sep 21 07:16:31.079568: | crypto helper 3 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 3 time elapsed 0.000866 seconds Sep 21 07:16:31.079574: | (#2) spent 0.869 milliseconds in crypto helper computing work-order 3: ikev2_inI2outR2 KE (pcr) Sep 21 07:16:31.079576: | crypto helper 3 sending results from work-order 3 for state #2 to event queue Sep 21 07:16:31.079578: | scheduling resume sending helper answer for #2 Sep 21 07:16:31.079580: | libevent_malloc: new ptr-libevent@0x7f7804000f40 size 128 Sep 21 07:16:31.079586: | crypto helper 3 waiting (nothing to do) Sep 21 07:16:31.079591: | processing resume sending helper answer for #2 Sep 21 07:16:31.079597: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:16:31.079601: | crypto helper 3 replies to request ID 3 Sep 21 07:16:31.079603: | calling continuation function 0x563a1ff20630 Sep 21 07:16:31.079606: | ikev2_parent_inI2outR2_continue for #2: calculating g^{xy}, sending R2 Sep 21 07:16:31.079609: | #2 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:16:31.079633: | data for hmac: df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.079636: | data for hmac: 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Sep 21 07:16:31.079638: | data for hmac: e6 62 17 a7 e9 35 72 42 59 3e 76 b5 44 b5 1f a4 Sep 21 07:16:31.079640: | data for hmac: 42 36 20 b6 e7 56 2f c4 07 c3 ae d7 22 94 00 97 Sep 21 07:16:31.079643: | data for hmac: cd c3 6c ed e0 6c 9e 98 1b 27 1f 80 ab ec 98 82 Sep 21 07:16:31.079645: | data for hmac: 18 da 2f 5b d5 7d 50 0f a4 9f aa f3 ff ff 41 d5 Sep 21 07:16:31.079647: | data for hmac: 98 e5 bd 27 63 00 2e c1 3b 89 d4 ee e5 d4 03 d2 Sep 21 07:16:31.079650: | data for hmac: 28 d4 ea 5c bf fe 57 cc 40 57 a9 fb fd 3d 58 0b Sep 21 07:16:31.079652: | data for hmac: 0b e9 cb 98 83 50 7c 75 f5 9b 7d 41 b5 6c d8 b7 Sep 21 07:16:31.079655: | data for hmac: a5 c0 cc 66 43 d6 6f 71 b8 d1 ce f6 88 39 e6 ef Sep 21 07:16:31.079657: | data for hmac: 78 de 09 3f 78 dd 40 1e 43 c1 0a 17 e4 1b 09 10 Sep 21 07:16:31.079659: | data for hmac: 61 7c 60 bb 31 25 a0 34 7b a8 09 1e 09 7e 5f c8 Sep 21 07:16:31.079662: | data for hmac: 60 75 28 25 13 8f 62 50 48 e1 4e 63 20 19 2b 9c Sep 21 07:16:31.079664: | data for hmac: e4 cb 0f 7f 6a d5 44 ad 07 66 1e 71 a3 87 90 68 Sep 21 07:16:31.079666: | data for hmac: d4 f8 ff 5a 01 d0 3c 7b f6 bb 7d cc cd f6 a7 8e Sep 21 07:16:31.079669: | data for hmac: a0 91 63 78 dd ff d9 86 af 7c 14 e5 ae 28 08 bb Sep 21 07:16:31.079671: | data for hmac: 5b 22 2d 12 bf c7 96 3d c9 3f de e8 86 93 f2 51 Sep 21 07:16:31.079673: | data for hmac: 85 ea b3 b1 1e c3 fa 0c c0 cb 1f d1 10 b2 ee c9 Sep 21 07:16:31.079676: | data for hmac: b3 e1 e9 8b 7c b8 cd fe c1 7d 72 13 f2 ab 47 77 Sep 21 07:16:31.079678: | data for hmac: 86 86 b4 3f 58 13 85 52 2a 17 1d b3 50 10 39 db Sep 21 07:16:31.079680: | data for hmac: 86 d8 08 56 46 78 14 b3 ac 7c 66 83 bc e2 89 ec Sep 21 07:16:31.079683: | data for hmac: 45 6c 02 d3 02 f9 eb 62 46 7d 27 b2 e4 39 f5 a4 Sep 21 07:16:31.079688: | data for hmac: 40 95 5a 1b dc b1 31 85 8b 6c 4c 1f 42 6d ae e4 Sep 21 07:16:31.079690: | data for hmac: 87 5b 38 92 f7 60 2f b4 96 1c d2 52 9a 29 fd f1 Sep 21 07:16:31.079693: | data for hmac: e5 22 59 43 51 9f 06 df 18 12 cb 6c a9 9e 11 40 Sep 21 07:16:31.079695: | data for hmac: 44 b2 cb a3 12 2a da b5 45 d8 dd 50 26 70 49 0e Sep 21 07:16:31.079697: | data for hmac: a6 60 ea f9 5e 03 b1 14 20 ee 30 ef fb c8 6c aa Sep 21 07:16:31.079699: | data for hmac: d7 8d d3 88 b5 f5 cb ec 42 0a 9f 7f ec a1 1b e7 Sep 21 07:16:31.079702: | calculated auth: 1b 47 a9 88 d9 e5 94 1f 45 27 0e e3 53 4c 01 ad Sep 21 07:16:31.079704: | provided auth: 1b 47 a9 88 d9 e5 94 1f 45 27 0e e3 53 4c 01 ad Sep 21 07:16:31.079707: | authenticator matched Sep 21 07:16:31.079715: | #2 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Sep 21 07:16:31.079718: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Sep 21 07:16:31.079721: | **parse IKEv2 Identification - Initiator - Payload: Sep 21 07:16:31.079723: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Sep 21 07:16:31.079726: | flags: none (0x0) Sep 21 07:16:31.079728: | length: 13 (0xd) Sep 21 07:16:31.079731: | ID type: ID_FQDN (0x2) Sep 21 07:16:31.079733: | processing payload: ISAKMP_NEXT_v2IDi (len=5) Sep 21 07:16:31.079736: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Sep 21 07:16:31.079738: | **parse IKEv2 Identification - Responder - Payload: Sep 21 07:16:31.079741: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Sep 21 07:16:31.079743: | flags: none (0x0) Sep 21 07:16:31.079745: | length: 12 (0xc) Sep 21 07:16:31.079748: | ID type: ID_FQDN (0x2) Sep 21 07:16:31.079750: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Sep 21 07:16:31.079752: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Sep 21 07:16:31.079755: | **parse IKEv2 Authentication Payload: Sep 21 07:16:31.079757: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:31.079760: | flags: none (0x0) Sep 21 07:16:31.079762: | length: 282 (0x11a) Sep 21 07:16:31.079765: | auth method: IKEv2_AUTH_RSA (0x1) Sep 21 07:16:31.079767: | processing payload: ISAKMP_NEXT_v2AUTH (len=274) Sep 21 07:16:31.079769: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:16:31.079772: | **parse IKEv2 Security Association Payload: Sep 21 07:16:31.079774: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:16:31.079776: | flags: none (0x0) Sep 21 07:16:31.079779: | length: 44 (0x2c) Sep 21 07:16:31.079781: | processing payload: ISAKMP_NEXT_v2SA (len=40) Sep 21 07:16:31.079788: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:16:31.079792: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:31.079795: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:16:31.079797: | flags: none (0x0) Sep 21 07:16:31.079799: | length: 24 (0x18) Sep 21 07:16:31.079801: | number of TS: 1 (0x1) Sep 21 07:16:31.079804: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:16:31.079806: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:16:31.079809: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:31.079811: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.079813: | flags: none (0x0) Sep 21 07:16:31.079816: | length: 24 (0x18) Sep 21 07:16:31.079818: | number of TS: 1 (0x1) Sep 21 07:16:31.079820: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:16:31.079823: | selected state microcode Responder: process IKE_AUTH request Sep 21 07:16:31.079825: | Now let's proceed with state specific processing Sep 21 07:16:31.079827: | calling processor Responder: process IKE_AUTH request Sep 21 07:16:31.079845: "north-eastnets/0x2" #2: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Sep 21 07:16:31.079851: | #2 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:16:31.079854: | received IDr payload - extracting our alleged ID Sep 21 07:16:31.079858: | refine_host_connection for IKEv2: starting with "north-eastnets/0x2" Sep 21 07:16:31.079863: | match_id a=@north Sep 21 07:16:31.079866: | b=@north Sep 21 07:16:31.079868: | results matched Sep 21 07:16:31.079872: | refine_host_connection: checking "north-eastnets/0x2" against "north-eastnets/0x2", best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Sep 21 07:16:31.079874: | Warning: not switching back to template of current instance Sep 21 07:16:31.079877: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Sep 21 07:16:31.079880: | This connection's local id is @east (ID_FQDN) Sep 21 07:16:31.079883: | refine_host_connection: checked north-eastnets/0x2 against north-eastnets/0x2, now for see if best Sep 21 07:16:31.079886: | started looking for secret for @east->@north of kind PKK_RSA Sep 21 07:16:31.079889: | actually looking for secret for @east->@north of kind PKK_RSA Sep 21 07:16:31.079892: | line 1: key type PKK_RSA(@east) to type PKK_RSA Sep 21 07:16:31.079896: | 1: compared key (none) to @east / @north -> 002 Sep 21 07:16:31.079899: | 2: compared key (none) to @east / @north -> 002 Sep 21 07:16:31.079901: | line 1: match=002 Sep 21 07:16:31.079904: | match 002 beats previous best_match 000 match=0x563a209811e0 (line=1) Sep 21 07:16:31.079907: | concluding with best_match=002 best=0x563a209811e0 (lineno=1) Sep 21 07:16:31.079909: | returning because exact peer id match Sep 21 07:16:31.079912: | offered CA: '%none' Sep 21 07:16:31.079914: "north-eastnets/0x2" #2: IKEv2 mode peer ID is ID_FQDN: '@north' Sep 21 07:16:31.079929: | verifying AUTH payload Sep 21 07:16:31.079941: | required RSA CA is '%any' Sep 21 07:16:31.079945: | checking RSA keyid '@east' for match with '@north' Sep 21 07:16:31.079948: | checking RSA keyid '@north' for match with '@north' Sep 21 07:16:31.079950: | RSA key issuer CA is '%any' Sep 21 07:16:31.080012: | an RSA Sig check passed with *AQPl33O2P [preloaded keys] Sep 21 07:16:31.080017: | #2 spent 0.0622 milliseconds in try_all_keys() trying a pubkey Sep 21 07:16:31.080020: "north-eastnets/0x2" #2: Authenticated using RSA Sep 21 07:16:31.080024: | #2 spent 0.0898 milliseconds in ikev2_verify_rsa_hash() Sep 21 07:16:31.080027: | parent state #2: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Sep 21 07:16:31.080031: | #2 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:16:31.080034: | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:31.080037: | libevent_free: release ptr-libevent@0x563a2098deb0 Sep 21 07:16:31.080039: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563a2098de70 Sep 21 07:16:31.080042: | event_schedule: new EVENT_SA_REKEY-pe@0x563a2098de70 Sep 21 07:16:31.080045: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #2 Sep 21 07:16:31.080048: | libevent_malloc: new ptr-libevent@0x563a2098deb0 size 128 Sep 21 07:16:31.080146: | pstats #2 ikev2.ike established Sep 21 07:16:31.080153: | **emit ISAKMP Message: Sep 21 07:16:31.080156: | initiator cookie: Sep 21 07:16:31.080158: | df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.080160: | responder cookie: Sep 21 07:16:31.080162: | 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.080165: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:31.080168: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.080170: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:16:31.080173: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:31.080175: | Message ID: 1 (0x1) Sep 21 07:16:31.080178: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:31.080181: | IKEv2 CERT: send a certificate? Sep 21 07:16:31.080183: | IKEv2 CERT: no certificate to send Sep 21 07:16:31.080186: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:31.080188: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.080191: | flags: none (0x0) Sep 21 07:16:31.080194: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:31.080199: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.080202: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:31.080208: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:16:31.080234: | ****emit IKEv2 Identification - Responder - Payload: Sep 21 07:16:31.080237: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.080239: | flags: none (0x0) Sep 21 07:16:31.080242: | ID type: ID_FQDN (0x2) Sep 21 07:16:31.080245: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Sep 21 07:16:31.080248: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.080251: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Sep 21 07:16:31.080253: | my identity 65 61 73 74 Sep 21 07:16:31.080255: | emitting length of IKEv2 Identification - Responder - Payload: 12 Sep 21 07:16:31.080262: | assembled IDr payload Sep 21 07:16:31.080264: | CHILD SA proposals received Sep 21 07:16:31.080266: | going to assemble AUTH payload Sep 21 07:16:31.080269: | ****emit IKEv2 Authentication Payload: Sep 21 07:16:31.080271: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:31.080274: | flags: none (0x0) Sep 21 07:16:31.080276: | auth method: IKEv2_AUTH_RSA (0x1) Sep 21 07:16:31.080279: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Sep 21 07:16:31.080282: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Sep 21 07:16:31.080285: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.080290: | started looking for secret for @east->@north of kind PKK_RSA Sep 21 07:16:31.080293: | actually looking for secret for @east->@north of kind PKK_RSA Sep 21 07:16:31.080296: | line 1: key type PKK_RSA(@east) to type PKK_RSA Sep 21 07:16:31.080299: | 1: compared key (none) to @east / @north -> 002 Sep 21 07:16:31.080302: | 2: compared key (none) to @east / @north -> 002 Sep 21 07:16:31.080304: | line 1: match=002 Sep 21 07:16:31.080307: | match 002 beats previous best_match 000 match=0x563a209811e0 (line=1) Sep 21 07:16:31.080310: | concluding with best_match=002 best=0x563a209811e0 (lineno=1) Sep 21 07:16:31.085393: | #2 spent 5.06 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA() Sep 21 07:16:31.085401: | emitting 274 raw bytes of rsa signature into IKEv2 Authentication Payload Sep 21 07:16:31.085404: | rsa signature 05 e0 3c 82 fa be f8 e7 f9 26 fd b8 12 44 b0 a9 Sep 21 07:16:31.085406: | rsa signature d9 4e 8b 72 43 45 6f ee dc a4 5a 72 86 d3 ec 5a Sep 21 07:16:31.085409: | rsa signature 0d 38 50 89 55 49 36 c0 a6 56 48 7e 8e ab ab ff Sep 21 07:16:31.085411: | rsa signature 13 54 30 88 bd 65 9b c8 9d 40 3f 9e 39 a6 86 9c Sep 21 07:16:31.085413: | rsa signature 26 9b e2 c1 d8 e2 7b 5b f0 e4 bf 99 bd 7a 92 d9 Sep 21 07:16:31.085415: | rsa signature 06 40 53 e2 9c 64 d6 78 60 14 3a 5b 04 9d b1 16 Sep 21 07:16:31.085418: | rsa signature 8f 63 28 45 51 e8 d4 8d f1 b8 cb b0 d3 34 10 e5 Sep 21 07:16:31.085420: | rsa signature c9 49 ba a3 fd a8 4b e3 2e c0 c7 fb f4 3a fb a4 Sep 21 07:16:31.085422: | rsa signature a3 47 47 0b f6 26 6e ec 94 cd 28 3e 66 b8 47 6a Sep 21 07:16:31.085425: | rsa signature 9d c5 b4 72 78 12 c9 43 2b 68 2e 00 6c 10 95 73 Sep 21 07:16:31.085427: | rsa signature 41 71 ea 19 43 02 62 21 4a 8e 56 7e 9a f8 7f 0e Sep 21 07:16:31.085429: | rsa signature 4f 18 8c 8d 14 74 5e d5 42 da 40 f1 32 ad 6e 88 Sep 21 07:16:31.085431: | rsa signature 0e 3e 77 80 8d 74 5d 0d ce 1f e0 52 69 09 a6 cb Sep 21 07:16:31.085436: | rsa signature 36 16 03 ff a3 82 2d e7 67 32 3b b9 ba 69 1a 2f Sep 21 07:16:31.085438: | rsa signature 1a 8a b7 d1 58 84 17 b5 a4 dd 0a 29 3e 7e 20 71 Sep 21 07:16:31.085441: | rsa signature 11 1a 56 8b f8 a9 7f 17 19 dd 6a 7d e1 74 19 b6 Sep 21 07:16:31.085443: | rsa signature f2 66 4a f2 21 3d 65 7e ff d8 28 9b f5 aa 25 bc Sep 21 07:16:31.085445: | rsa signature 44 63 Sep 21 07:16:31.085449: | #2 spent 5.15 milliseconds in ikev2_calculate_rsa_hash() Sep 21 07:16:31.085452: | emitting length of IKEv2 Authentication Payload: 282 Sep 21 07:16:31.085456: | creating state object #3 at 0x563a209962c0 Sep 21 07:16:31.085458: | State DB: adding IKEv2 state #3 in UNDEFINED Sep 21 07:16:31.085464: | pstats #3 ikev2.child started Sep 21 07:16:31.085467: | duplicating state object #2 "north-eastnets/0x2" as #3 for IPSEC SA Sep 21 07:16:31.085472: | #3 setting local endpoint to 192.1.2.23:500 from #2.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:16:31.085477: | Message ID: init_child #2.#3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:31.085482: | Message ID: switch-from #2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Sep 21 07:16:31.085487: | Message ID: switch-to #2.#3 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Sep 21 07:16:31.085489: | Child SA TS Request has ike->sa == md->st; so using parent connection Sep 21 07:16:31.085492: | TSi: parsing 1 traffic selectors Sep 21 07:16:31.085495: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:31.085497: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.085500: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.085502: | length: 16 (0x10) Sep 21 07:16:31.085504: | start port: 0 (0x0) Sep 21 07:16:31.085507: | end port: 65535 (0xffff) Sep 21 07:16:31.085510: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:31.085512: | TS low c0 00 03 00 Sep 21 07:16:31.085515: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:31.085517: | TS high c0 00 03 ff Sep 21 07:16:31.085519: | TSi: parsed 1 traffic selectors Sep 21 07:16:31.085521: | TSr: parsing 1 traffic selectors Sep 21 07:16:31.085524: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:31.085526: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.085528: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.085531: | length: 16 (0x10) Sep 21 07:16:31.085533: | start port: 0 (0x0) Sep 21 07:16:31.085535: | end port: 65535 (0xffff) Sep 21 07:16:31.085538: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:31.085540: | TS low c0 00 02 00 Sep 21 07:16:31.085542: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:31.085544: | TS high c0 00 02 ff Sep 21 07:16:31.085547: | TSr: parsed 1 traffic selectors Sep 21 07:16:31.085549: | looking for best SPD in current connection Sep 21 07:16:31.085555: | evaluating our conn="north-eastnets/0x2" I=192.0.3.0/24:0:0/0 R=192.0.22.0/24:0:0/0 to their: Sep 21 07:16:31.085560: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.085566: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:16:31.085569: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:31.085572: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:31.085574: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:31.085577: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.085582: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.085588: | match address end->client=192.0.22.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: NO Sep 21 07:16:31.085590: | looking for better host pair Sep 21 07:16:31.085595: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:16:31.085601: | checking hostpair 192.0.22.0/24:0 -> 192.0.3.0/24:0 is found Sep 21 07:16:31.085603: | investigating connection "north-eastnets/0x2" as a better match Sep 21 07:16:31.085606: | match_id a=@north Sep 21 07:16:31.085609: | b=@north Sep 21 07:16:31.085611: | results matched Sep 21 07:16:31.085616: | evaluating our conn="north-eastnets/0x2" I=192.0.3.0/24:0:0/0 R=192.0.22.0/24:0:0/0 to their: Sep 21 07:16:31.085621: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.085626: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:16:31.085629: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:31.085631: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:31.085634: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:31.085637: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.085641: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.085646: | match address end->client=192.0.22.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: NO Sep 21 07:16:31.085649: | investigating connection "north-eastnets/0x1" as a better match Sep 21 07:16:31.085651: | match_id a=@north Sep 21 07:16:31.085654: | b=@north Sep 21 07:16:31.085656: | results matched Sep 21 07:16:31.085661: | evaluating our conn="north-eastnets/0x1" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:16:31.085665: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.085671: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:16:31.085673: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:31.085676: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:31.085678: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:31.085681: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.085685: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.085691: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:16:31.085694: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:16:31.085696: | TSr[0] port match: YES fitness 65536 Sep 21 07:16:31.085699: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:16:31.085701: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.085704: | best fit so far: TSi[0] TSr[0] Sep 21 07:16:31.085706: | protocol fitness found better match d north-eastnets/0x1, TSi[0],TSr[0] Sep 21 07:16:31.085710: | in connection_discard for connection north-eastnets/0x2 Sep 21 07:16:31.085713: | printing contents struct traffic_selector Sep 21 07:16:31.085715: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:16:31.085717: | ipprotoid: 0 Sep 21 07:16:31.085719: | port range: 0-65535 Sep 21 07:16:31.085723: | ip range: 192.0.2.0-192.0.2.255 Sep 21 07:16:31.085726: | printing contents struct traffic_selector Sep 21 07:16:31.085728: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:16:31.085730: | ipprotoid: 0 Sep 21 07:16:31.085732: | port range: 0-65535 Sep 21 07:16:31.085736: | ip range: 192.0.3.0-192.0.3.255 Sep 21 07:16:31.085739: | constructing ESP/AH proposals with all DH removed for north-eastnets/0x1 (IKE_AUTH responder matching remote ESP/AH proposals) Sep 21 07:16:31.085744: | converting proposal AES_CBC_128-HMAC_SHA2_512_256-MODP3072 to ikev2 ... Sep 21 07:16:31.085749: | ... ikev2_proposal: 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED Sep 21 07:16:31.085753: "north-eastnets/0x1": constructed local ESP/AH proposals for north-eastnets/0x1 (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED Sep 21 07:16:31.085758: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 1 local proposals Sep 21 07:16:31.085761: | local proposal 1 type ENCR has 1 transforms Sep 21 07:16:31.085763: | local proposal 1 type PRF has 0 transforms Sep 21 07:16:31.085766: | local proposal 1 type INTEG has 1 transforms Sep 21 07:16:31.085768: | local proposal 1 type DH has 1 transforms Sep 21 07:16:31.085770: | local proposal 1 type ESN has 1 transforms Sep 21 07:16:31.085773: | local proposal 1 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:16:31.085776: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.085779: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.085781: | length: 40 (0x28) Sep 21 07:16:31.085814: | prop #: 1 (0x1) Sep 21 07:16:31.085817: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.085819: | spi size: 4 (0x4) Sep 21 07:16:31.085822: | # transforms: 3 (0x3) Sep 21 07:16:31.085825: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:16:31.085827: | remote SPI 2d 97 3b f0 Sep 21 07:16:31.085830: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 1 local proposals Sep 21 07:16:31.085833: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.085836: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.085838: | length: 12 (0xc) Sep 21 07:16:31.085841: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.085843: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.085846: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.085848: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.085851: | length/value: 128 (0x80) Sep 21 07:16:31.085855: | remote proposal 1 transform 0 (ENCR=AES_CBC_128) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:16:31.085857: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.085860: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.085862: | length: 8 (0x8) Sep 21 07:16:31.085865: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.085867: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:31.085871: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_512_256) matches local proposal 1 type 3 (INTEG) transform 0 Sep 21 07:16:31.085874: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.085876: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.085878: | length: 8 (0x8) Sep 21 07:16:31.085881: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.085883: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.085887: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:16:31.085890: | remote proposal 1 proposed transforms: ENCR+INTEG+ESN; matched: ENCR+INTEG+ESN; unmatched: none Sep 21 07:16:31.085895: | comparing remote proposal 1 containing ENCR+INTEG+ESN transforms to local proposal 1; required: ENCR+INTEG+ESN; optional: DH; matched: ENCR+INTEG+ESN Sep 21 07:16:31.085897: | remote proposal 1 matches local proposal 1 Sep 21 07:16:31.085902: "north-eastnets/0x2" #2: proposal 1:ESP:SPI=2d973bf0;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED[first-match] Sep 21 07:16:31.085907: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=2d973bf0;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED Sep 21 07:16:31.085910: | converting proposal to internal trans attrs Sep 21 07:16:31.085926: | netlink_get_spi: allocated 0xecbd618 for esp.0@192.1.2.23 Sep 21 07:16:31.085929: | Emitting ikev2_proposal ... Sep 21 07:16:31.085931: | ****emit IKEv2 Security Association Payload: Sep 21 07:16:31.085934: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.085936: | flags: none (0x0) Sep 21 07:16:31.085940: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:31.085944: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.085947: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.085949: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.085952: | prop #: 1 (0x1) Sep 21 07:16:31.085954: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.085956: | spi size: 4 (0x4) Sep 21 07:16:31.085959: | # transforms: 3 (0x3) Sep 21 07:16:31.085962: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:31.085965: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:16:31.085967: | our spi 0e cb d6 18 Sep 21 07:16:31.085969: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.085972: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.085974: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.085976: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.085979: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.085982: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.085985: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.085987: | length/value: 128 (0x80) Sep 21 07:16:31.085990: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:31.085992: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.085994: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.085997: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.085999: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:31.086003: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.086005: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.086008: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.086010: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.086013: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.086015: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.086018: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.086021: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.086023: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.086026: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.086028: | emitting length of IKEv2 Proposal Substructure Payload: 40 Sep 21 07:16:31.086031: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:31.086034: | emitting length of IKEv2 Security Association Payload: 44 Sep 21 07:16:31.086036: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:31.086039: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:31.086041: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.086044: | flags: none (0x0) Sep 21 07:16:31.086046: | number of TS: 1 (0x1) Sep 21 07:16:31.086049: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:16:31.086052: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.086056: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:31.086058: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.086061: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.086063: | start port: 0 (0x0) Sep 21 07:16:31.086065: | end port: 65535 (0xffff) Sep 21 07:16:31.086069: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:31.086071: | IP start c0 00 03 00 Sep 21 07:16:31.086073: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:31.086076: | IP end c0 00 03 ff Sep 21 07:16:31.086078: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:31.086081: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:16:31.086083: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:31.086085: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.086088: | flags: none (0x0) Sep 21 07:16:31.086090: | number of TS: 1 (0x1) Sep 21 07:16:31.086093: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:16:31.086096: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.086098: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:31.086101: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.086103: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.086105: | start port: 0 (0x0) Sep 21 07:16:31.086108: | end port: 65535 (0xffff) Sep 21 07:16:31.086110: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:31.086112: | IP start c0 00 02 00 Sep 21 07:16:31.086115: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:31.086117: | IP end c0 00 02 ff Sep 21 07:16:31.086120: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:31.086122: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:16:31.086125: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:16:31.086128: | integ=sha2_512: .key_size=64 encrypt=aes: .key_size=16 .salt_size=0 keymat_len=80 Sep 21 07:16:31.086425: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Sep 21 07:16:31.086431: | install_ipsec_sa() for #3: inbound and outbound Sep 21 07:16:31.086434: | could_route called for north-eastnets/0x1 (kind=CK_PERMANENT) Sep 21 07:16:31.086437: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:31.086440: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.086442: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:31.086445: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.086448: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:31.086453: | route owner of "north-eastnets/0x1" unrouted: NULL; eroute owner: NULL Sep 21 07:16:31.086456: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:31.086459: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:31.086462: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:31.086466: | setting IPsec SA replay-window to 32 Sep 21 07:16:31.086469: | NIC esp-hw-offload not for connection 'north-eastnets/0x1' not available on interface eth1 Sep 21 07:16:31.086472: | netlink: enabling tunnel mode Sep 21 07:16:31.086475: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:31.086477: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:31.354493: | netlink response for Add SA esp.2d973bf0@192.1.3.33 included non-error error Sep 21 07:16:31.354506: | set up outgoing SA, ref=0/0 Sep 21 07:16:31.354511: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:31.354515: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:31.354519: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:31.354528: | setting IPsec SA replay-window to 32 Sep 21 07:16:31.354532: | NIC esp-hw-offload not for connection 'north-eastnets/0x1' not available on interface eth1 Sep 21 07:16:31.354535: | netlink: enabling tunnel mode Sep 21 07:16:31.354538: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:31.354541: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:31.354616: | netlink response for Add SA esp.ecbd618@192.1.2.23 included non-error error Sep 21 07:16:31.354621: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:31.354630: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Sep 21 07:16:31.354634: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:31.354686: | raw_eroute result=success Sep 21 07:16:31.354690: | set up incoming SA, ref=0/0 Sep 21 07:16:31.354692: | sr for #3: unrouted Sep 21 07:16:31.354695: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:16:31.354698: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:31.354702: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.354705: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:31.354708: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.354710: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:31.354715: | route owner of "north-eastnets/0x1" unrouted: NULL; eroute owner: NULL Sep 21 07:16:31.354718: | route_and_eroute with c: north-eastnets/0x1 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #3 Sep 21 07:16:31.354722: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:31.354730: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33 (raw_eroute) Sep 21 07:16:31.354733: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:31.354758: | raw_eroute result=success Sep 21 07:16:31.354762: | running updown command "ipsec _updown" for verb up Sep 21 07:16:31.354765: | command executing up-client Sep 21 07:16:31.354798: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x2 Sep 21 07:16:31.354804: | popen cmd is 1040 chars long Sep 21 07:16:31.354807: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1': Sep 21 07:16:31.354810: | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_: Sep 21 07:16:31.354813: | cmd( 160):MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLU: Sep 21 07:16:31.354816: | cmd( 240):TO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_: Sep 21 07:16:31.354818: | cmd( 320):SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@nor: Sep 21 07:16:31.354821: | cmd( 400):th' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEE: Sep 21 07:16:31.354824: | cmd( 480):R_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_: Sep 21 07:16:31.354826: | cmd( 560):PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCR: Sep 21 07:16:31.354831: | cmd( 640):YPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND: Sep 21 07:16:31.354834: | cmd( 720):='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO=: Sep 21 07:16:31.354836: | cmd( 800):'0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_: Sep 21 07:16:31.354839: | cmd( 880):CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROU: Sep 21 07:16:31.354841: | cmd( 960):TING='no' VTI_SHARED='no' SPI_IN=0x2d973bf0 SPI_OUT=0xecbd618 ipsec _updown 2>&1: Sep 21 07:16:31.366076: | route_and_eroute: firewall_notified: true Sep 21 07:16:31.366088: | running updown command "ipsec _updown" for verb prepare Sep 21 07:16:31.366124: | command executing prepare-client Sep 21 07:16:31.366157: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' Sep 21 07:16:31.366160: | popen cmd is 1045 chars long Sep 21 07:16:31.366163: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets: Sep 21 07:16:31.366166: | cmd( 80):/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' P: Sep 21 07:16:31.366169: | cmd( 160):LUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0: Sep 21 07:16:31.366172: | cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' P: Sep 21 07:16:31.366174: | cmd( 320):LUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID=: Sep 21 07:16:31.366177: | cmd( 400):'@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUT: Sep 21 07:16:31.366180: | cmd( 480):O_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' P: Sep 21 07:16:31.366182: | cmd( 560):LUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG: Sep 21 07:16:31.366185: | cmd( 640):+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN: Sep 21 07:16:31.366187: | cmd( 720):_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_C: Sep 21 07:16:31.366190: | cmd( 800):ISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' P: Sep 21 07:16:31.366193: | cmd( 880):LUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VT: Sep 21 07:16:31.366195: | cmd( 960):I_ROUTING='no' VTI_SHARED='no' SPI_IN=0x2d973bf0 SPI_OUT=0xecbd618 ipsec _updown: Sep 21 07:16:31.366198: | cmd(1040): 2>&1: Sep 21 07:16:31.376600: | running updown command "ipsec _updown" for verb route Sep 21 07:16:31.376618: | command executing route-client Sep 21 07:16:31.376650: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_ Sep 21 07:16:31.376657: | popen cmd is 1043 chars long Sep 21 07:16:31.376660: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0: Sep 21 07:16:31.376663: | cmd( 80):x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Sep 21 07:16:31.376666: | cmd( 160):TO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' : Sep 21 07:16:31.376668: | cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU: Sep 21 07:16:31.376671: | cmd( 320):TO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@: Sep 21 07:16:31.376674: | cmd( 400):north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_: Sep 21 07:16:31.376676: | cmd( 480):PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLU: Sep 21 07:16:31.376679: | cmd( 560):TO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+E: Sep 21 07:16:31.376681: | cmd( 640):NCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_K: Sep 21 07:16:31.376684: | cmd( 720):IND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CIS: Sep 21 07:16:31.376686: | cmd( 800):CO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLU: Sep 21 07:16:31.376689: | cmd( 880):TO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_: Sep 21 07:16:31.376692: | cmd( 960):ROUTING='no' VTI_SHARED='no' SPI_IN=0x2d973bf0 SPI_OUT=0xecbd618 ipsec _updown 2: Sep 21 07:16:31.376694: | cmd(1040):>&1: Sep 21 07:16:31.387284: | route_and_eroute: instance "north-eastnets/0x1", setting eroute_owner {spd=0x563a2098d350,sr=0x563a2098d350} to #3 (was #0) (newest_ipsec_sa=#0) Sep 21 07:16:31.387360: | #2 spent 1.14 milliseconds in install_ipsec_sa() Sep 21 07:16:31.387365: | ISAKMP_v2_IKE_AUTH: instance north-eastnets/0x1[0], setting IKEv2 newest_ipsec_sa to #3 (was #0) (spd.eroute=#3) cloned from #2 Sep 21 07:16:31.387368: | adding 14 bytes of padding (including 1 byte padding-length) Sep 21 07:16:31.387370: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.387373: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.387380: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.387383: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.387387: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.387390: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.387393: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.387397: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.387400: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.387404: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.387407: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.387411: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.387414: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.387421: | emitting 1 0x0d repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.387425: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:31.387428: | emitting length of IKEv2 Encryption Payload: 436 Sep 21 07:16:31.387431: | emitting length of ISAKMP Message: 464 Sep 21 07:16:31.387472: | data being hmac: df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.387475: | data being hmac: 2e 20 23 20 00 00 00 01 00 00 01 d0 24 00 01 b4 Sep 21 07:16:31.387477: | data being hmac: b8 97 03 e9 3f 74 95 85 b0 0a a1 e8 9d 98 78 75 Sep 21 07:16:31.387478: | data being hmac: 87 a3 5e 53 ef 81 35 fa 48 f0 02 e7 a9 67 5a c2 Sep 21 07:16:31.387480: | data being hmac: a1 7a 4b b3 0a 51 24 5d 38 f8 b0 11 41 d8 7a 5d Sep 21 07:16:31.387481: | data being hmac: c6 d2 fd 4b c3 16 0d 4b 98 b3 09 d4 5a 12 7b 52 Sep 21 07:16:31.387483: | data being hmac: 69 3a 31 98 26 f3 eb 2a 81 a3 6c 49 00 e2 0d b3 Sep 21 07:16:31.387484: | data being hmac: 87 e3 8d 97 29 f1 3e 4d 1c 28 16 2b ef bc c1 1b Sep 21 07:16:31.387486: | data being hmac: f7 c5 98 f0 90 bf 79 e5 c2 d4 dc 97 d9 54 88 94 Sep 21 07:16:31.387487: | data being hmac: d8 d7 6b 13 39 d4 e7 59 ab ba 9f 01 94 67 ad 59 Sep 21 07:16:31.387488: | data being hmac: 89 65 74 54 74 7b b7 c6 9c 06 81 06 69 57 1d 1c Sep 21 07:16:31.387490: | data being hmac: 00 80 d1 29 2c 86 01 43 3c ec 70 dc 21 ed 12 c6 Sep 21 07:16:31.387491: | data being hmac: 16 7a fd 58 21 9d 4b e4 57 1e af fc 0c b7 6c d2 Sep 21 07:16:31.387493: | data being hmac: 71 08 4d c6 6f 37 f2 8d a0 f3 15 be b8 87 a8 fe Sep 21 07:16:31.387494: | data being hmac: 62 60 ef 95 af 84 38 c3 5c 9a 4f 21 c0 a9 46 97 Sep 21 07:16:31.387495: | data being hmac: b9 bb 10 8e d1 70 72 41 ac e7 af dc 57 89 7d fb Sep 21 07:16:31.387497: | data being hmac: 49 b3 dc 42 b8 07 02 3e 1e f2 be cd 7c 62 51 38 Sep 21 07:16:31.387498: | data being hmac: d4 b1 11 1a ef f3 00 7b d3 0e a9 4e 5d e5 ca 3b Sep 21 07:16:31.387500: | data being hmac: a0 16 a1 4b 16 5e 48 fc ad 7e e7 e4 9d b9 08 c9 Sep 21 07:16:31.387501: | data being hmac: d4 94 c2 20 7f db 41 60 43 82 3a 13 14 5c e2 8a Sep 21 07:16:31.387516: | data being hmac: d6 58 39 79 59 c3 18 30 a9 26 a6 22 a2 04 bb 37 Sep 21 07:16:31.387517: | data being hmac: d2 4d e7 63 9a 91 1f bc c5 d1 72 be 74 0c 22 cb Sep 21 07:16:31.387519: | data being hmac: 4d e6 4d 1c 6c 0e ee 23 18 5b fe 8b a7 ad 46 02 Sep 21 07:16:31.387520: | data being hmac: f9 3f e7 5f 6c f5 48 c6 f0 f6 00 54 b9 5a a8 e5 Sep 21 07:16:31.387521: | data being hmac: d2 ed 62 4b 80 a2 1a 18 9b cd 4e 3e e8 14 22 25 Sep 21 07:16:31.387523: | data being hmac: 69 c8 ea 74 ba 94 64 d9 be 78 ff 86 bf 23 f3 93 Sep 21 07:16:31.387524: | data being hmac: 8a 98 3d 90 a5 db 50 e3 a5 7a 94 5e 9f 0c 31 0b Sep 21 07:16:31.387525: | data being hmac: e1 a9 78 8c 94 0f 97 21 55 7b 33 a7 e8 4a c1 15 Sep 21 07:16:31.387527: | out calculated auth: Sep 21 07:16:31.387528: | 3b 5e 1d 5d 21 72 68 e6 1e 70 28 72 47 dc e0 9c Sep 21 07:16:31.387532: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Sep 21 07:16:31.387536: | #2 spent 7.88 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Sep 21 07:16:31.387540: | suspend processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.387543: | start processing: state #3 connection "north-eastnets/0x1" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.387546: | #3 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Sep 21 07:16:31.387548: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Sep 21 07:16:31.387551: | child state #3: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Sep 21 07:16:31.387554: | Message ID: updating counters for #3 to 1 after switching state Sep 21 07:16:31.387558: | Message ID: recv #2.#3 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Sep 21 07:16:31.387561: | Message ID: sent #2.#3 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Sep 21 07:16:31.387563: | pstats #3 ikev2.child established Sep 21 07:16:31.387568: "north-eastnets/0x1" #3: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Sep 21 07:16:31.387570: | NAT-T: encaps is 'auto' Sep 21 07:16:31.387573: "north-eastnets/0x1" #3: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x2d973bf0 <0x0ecbd618 xfrm=AES_CBC_128-HMAC_SHA2_512_256 NATOA=none NATD=none DPD=passive} Sep 21 07:16:31.387576: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:16:31.387580: | sending 464 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #2) Sep 21 07:16:31.387584: | df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.387586: | 2e 20 23 20 00 00 00 01 00 00 01 d0 24 00 01 b4 Sep 21 07:16:31.387587: | b8 97 03 e9 3f 74 95 85 b0 0a a1 e8 9d 98 78 75 Sep 21 07:16:31.387589: | 87 a3 5e 53 ef 81 35 fa 48 f0 02 e7 a9 67 5a c2 Sep 21 07:16:31.387590: | a1 7a 4b b3 0a 51 24 5d 38 f8 b0 11 41 d8 7a 5d Sep 21 07:16:31.387591: | c6 d2 fd 4b c3 16 0d 4b 98 b3 09 d4 5a 12 7b 52 Sep 21 07:16:31.387593: | 69 3a 31 98 26 f3 eb 2a 81 a3 6c 49 00 e2 0d b3 Sep 21 07:16:31.387594: | 87 e3 8d 97 29 f1 3e 4d 1c 28 16 2b ef bc c1 1b Sep 21 07:16:31.387595: | f7 c5 98 f0 90 bf 79 e5 c2 d4 dc 97 d9 54 88 94 Sep 21 07:16:31.387597: | d8 d7 6b 13 39 d4 e7 59 ab ba 9f 01 94 67 ad 59 Sep 21 07:16:31.387598: | 89 65 74 54 74 7b b7 c6 9c 06 81 06 69 57 1d 1c Sep 21 07:16:31.387599: | 00 80 d1 29 2c 86 01 43 3c ec 70 dc 21 ed 12 c6 Sep 21 07:16:31.387601: | 16 7a fd 58 21 9d 4b e4 57 1e af fc 0c b7 6c d2 Sep 21 07:16:31.387602: | 71 08 4d c6 6f 37 f2 8d a0 f3 15 be b8 87 a8 fe Sep 21 07:16:31.387603: | 62 60 ef 95 af 84 38 c3 5c 9a 4f 21 c0 a9 46 97 Sep 21 07:16:31.387605: | b9 bb 10 8e d1 70 72 41 ac e7 af dc 57 89 7d fb Sep 21 07:16:31.387606: | 49 b3 dc 42 b8 07 02 3e 1e f2 be cd 7c 62 51 38 Sep 21 07:16:31.387607: | d4 b1 11 1a ef f3 00 7b d3 0e a9 4e 5d e5 ca 3b Sep 21 07:16:31.387609: | a0 16 a1 4b 16 5e 48 fc ad 7e e7 e4 9d b9 08 c9 Sep 21 07:16:31.387610: | d4 94 c2 20 7f db 41 60 43 82 3a 13 14 5c e2 8a Sep 21 07:16:31.387611: | d6 58 39 79 59 c3 18 30 a9 26 a6 22 a2 04 bb 37 Sep 21 07:16:31.387613: | d2 4d e7 63 9a 91 1f bc c5 d1 72 be 74 0c 22 cb Sep 21 07:16:31.387614: | 4d e6 4d 1c 6c 0e ee 23 18 5b fe 8b a7 ad 46 02 Sep 21 07:16:31.387615: | f9 3f e7 5f 6c f5 48 c6 f0 f6 00 54 b9 5a a8 e5 Sep 21 07:16:31.387617: | d2 ed 62 4b 80 a2 1a 18 9b cd 4e 3e e8 14 22 25 Sep 21 07:16:31.387618: | 69 c8 ea 74 ba 94 64 d9 be 78 ff 86 bf 23 f3 93 Sep 21 07:16:31.387619: | 8a 98 3d 90 a5 db 50 e3 a5 7a 94 5e 9f 0c 31 0b Sep 21 07:16:31.387621: | e1 a9 78 8c 94 0f 97 21 55 7b 33 a7 e8 4a c1 15 Sep 21 07:16:31.387622: | 3b 5e 1d 5d 21 72 68 e6 1e 70 28 72 47 dc e0 9c Sep 21 07:16:31.387658: | releasing whack for #3 (sock=fd@-1) Sep 21 07:16:31.387661: | releasing whack and unpending for parent #2 Sep 21 07:16:31.387663: | unpending state #2 connection "north-eastnets/0x1" Sep 21 07:16:31.387666: | #3 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:16:31.387681: | event_schedule: new EVENT_SA_REKEY-pe@0x563a20995ad0 Sep 21 07:16:31.387684: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #3 Sep 21 07:16:31.387686: | libevent_malloc: new ptr-libevent@0x563a20998220 size 128 Sep 21 07:16:31.387690: | resume sending helper answer for #2 suppresed complete_v2_state_transition() Sep 21 07:16:31.387696: | #2 spent 8.24 milliseconds in resume sending helper answer Sep 21 07:16:31.387699: | stop processing: state #3 connection "north-eastnets/0x1" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:16:31.387702: | libevent_free: release ptr-libevent@0x7f7804000f40 Sep 21 07:16:31.387711: | timer_event_cb: processing event@0x7f7808002b20 Sep 21 07:16:31.387713: | handling event EVENT_RETRANSMIT for parent state #1 Sep 21 07:16:31.387716: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in timer_event_cb() at timer.c:250) Sep 21 07:16:31.387718: | IKEv2 retransmit event Sep 21 07:16:31.387721: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in retransmit_v2_msg() at retry.c:144) Sep 21 07:16:31.387724: | handling event EVENT_RETRANSMIT for 192.1.3.33 "north-eastnets/0x2" #1 attempt 2 of 0 Sep 21 07:16:31.387726: | and parent for 192.1.3.33 "north-eastnets/0x2" #1 keying attempt 1 of 0; retransmit 2 Sep 21 07:16:31.387730: | retransmits: current time 48837.755993; retransmit count 1 exceeds limit? NO; deltatime 1 exceeds limit? NO; monotime 1.247211 exceeds limit? NO Sep 21 07:16:31.387732: | event_schedule: new EVENT_RETRANSMIT-pe@0x563a20998d50 Sep 21 07:16:31.387734: | inserting event EVENT_RETRANSMIT, timeout in 1 seconds for #1 Sep 21 07:16:31.387735: | libevent_malloc: new ptr-libevent@0x7f7804000f40 size 128 Sep 21 07:16:31.387738: "north-eastnets/0x2" #1: STATE_PARENT_I1: retransmission; will wait 1 seconds for response Sep 21 07:16:31.387741: | sending 440 bytes for EVENT_RETRANSMIT through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:16:31.387743: | cc 16 75 8d 92 e6 25 81 00 00 00 00 00 00 00 00 Sep 21 07:16:31.387744: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:31.387746: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:31.387747: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:31.387748: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:31.387750: | 00 0e 00 00 1b 54 4d 6f a8 d8 15 14 b4 92 26 83 Sep 21 07:16:31.387751: | 98 88 55 38 0a de 59 05 1c 30 e8 1e 9d a3 2b 78 Sep 21 07:16:31.387752: | 21 3a 02 cb 0f f8 ba 80 c1 93 6c 3d bb 7b 4c b1 Sep 21 07:16:31.387754: | 52 e2 80 d8 cf 34 65 bc 9d ee c6 6c 02 5c db 7a Sep 21 07:16:31.387755: | 76 ac ca 71 9d f9 40 d0 11 8d b4 e4 2a 87 b9 f5 Sep 21 07:16:31.387757: | 24 ec 02 f3 b9 d1 06 80 2d 06 63 05 39 2e 94 df Sep 21 07:16:31.387758: | 11 13 22 6f 86 fc af 71 c1 e5 2f 2e ef 35 96 6a Sep 21 07:16:31.387759: | 96 b0 7b 29 d0 93 dc 6e a6 c5 4f cd f9 87 58 a8 Sep 21 07:16:31.387761: | fe 02 a7 02 69 93 39 a8 27 60 af f1 8e f5 d2 6c Sep 21 07:16:31.387762: | 17 64 71 2b 29 a5 c3 55 5a a1 3f 8f b7 47 7d d9 Sep 21 07:16:31.387763: | 8a 85 f5 ef 50 24 0d 39 ae 14 98 2a c7 c5 08 2d Sep 21 07:16:31.387765: | 03 6a 01 d0 bc 94 35 b5 b3 60 4b 5d cc c4 08 e7 Sep 21 07:16:31.387766: | e4 b0 ed 27 01 8d dd 35 6f c9 6a cf e2 ab 0d dc Sep 21 07:16:31.387767: | c6 e8 ad eb 8f f6 47 d2 9e 27 10 d1 29 b2 ff ce Sep 21 07:16:31.387769: | ef 88 e0 a0 81 dd 16 cb 70 db 37 b8 91 a4 1a 06 Sep 21 07:16:31.387770: | 64 e0 3d ca 40 1a 6f 6a 87 0d 89 38 51 89 8e 12 Sep 21 07:16:31.387772: | da ea 7c 1e 29 00 00 24 19 d9 84 91 69 ce 64 18 Sep 21 07:16:31.387773: | a2 eb 2b 70 4e 38 52 e9 9c c9 d6 91 ee 9b 32 f6 Sep 21 07:16:31.387774: | de a9 50 7e ce cd 3d 24 29 00 00 08 00 00 40 2e Sep 21 07:16:31.387776: | 29 00 00 1c 00 00 40 04 4b 9a 43 9c 55 f8 84 08 Sep 21 07:16:31.387777: | 22 78 46 fe 29 b8 63 5e e9 73 15 66 00 00 00 1c Sep 21 07:16:31.387778: | 00 00 40 05 cf a3 d9 cc 23 0d f5 f4 4e 65 38 55 Sep 21 07:16:31.387780: | ce 45 2d 4d 11 dd e0 94 Sep 21 07:16:31.387800: | libevent_free: release ptr-libevent@0x7f7808006900 Sep 21 07:16:31.387805: | free_event_entry: release EVENT_RETRANSMIT-pe@0x7f7808002b20 Sep 21 07:16:31.387808: | #1 spent 0.085 milliseconds in timer_event_cb() EVENT_RETRANSMIT Sep 21 07:16:31.387813: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in timer_event_cb() at timer.c:557) Sep 21 07:16:31.387815: | processing signal PLUTO_SIGCHLD Sep 21 07:16:31.387818: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:31.387821: | spent 0.00346 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:31.387823: | processing signal PLUTO_SIGCHLD Sep 21 07:16:31.387825: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:31.387827: | spent 0.00227 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:31.387829: | processing signal PLUTO_SIGCHLD Sep 21 07:16:31.387831: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:31.387833: | spent 0.00223 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:31.435867: | spent 0.00263 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:31.435883: | *received 440 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:16:31.435886: | cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.435887: | 21 20 22 20 00 00 00 00 00 00 01 b8 22 00 00 30 Sep 21 07:16:31.435889: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Sep 21 07:16:31.435890: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:16:31.435892: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Sep 21 07:16:31.435893: | 00 0e 00 00 0b cf 60 25 17 12 e5 90 7c d5 d4 ff Sep 21 07:16:31.435894: | 6c 01 50 98 26 58 74 67 cb 24 a5 d3 fd 95 24 80 Sep 21 07:16:31.435896: | 75 96 82 d9 32 86 df ff 24 5a 02 fa d7 ec 0c 66 Sep 21 07:16:31.435897: | ea 24 c3 b1 13 a9 ca aa 4b c5 60 25 d5 5c b0 4c Sep 21 07:16:31.435898: | 50 e5 d0 cd 7a 2c bf 23 54 87 fb e9 42 c2 b7 1c Sep 21 07:16:31.435900: | b1 8b e1 cb 7f 1b 60 fb 03 9a 36 18 cc 04 92 5d Sep 21 07:16:31.435901: | ef 94 ff a4 f4 f0 b5 d2 ad 60 be ef 52 df 76 77 Sep 21 07:16:31.435902: | 2e 31 d7 44 65 b7 36 a3 8a 79 54 52 c0 fa 36 39 Sep 21 07:16:31.435904: | 94 73 66 4e 29 c1 5c cb 4e d2 6f dd c5 4d 60 fb Sep 21 07:16:31.435905: | dd c1 ac d6 1e e3 2c 67 15 86 ba ff 32 a0 bd 61 Sep 21 07:16:31.435906: | b4 a9 90 5a c2 aa 6f 16 63 9f 65 c3 2c 3d 15 46 Sep 21 07:16:31.435908: | a9 0d e0 b8 6f 77 70 50 44 25 76 2e 68 4e f6 3c Sep 21 07:16:31.435909: | 9a d2 79 48 46 a8 f6 de e7 af 16 08 a5 6c 11 10 Sep 21 07:16:31.435911: | 91 2f f7 60 67 5a ab 03 2c 2c 81 f5 af 1a 29 45 Sep 21 07:16:31.435912: | 23 7c d7 ee d5 fd e8 05 77 06 3f 31 60 54 f5 a3 Sep 21 07:16:31.435913: | 5e 1b 49 0a b8 56 04 ee 2e 08 2e 60 e8 34 69 eb Sep 21 07:16:31.435915: | a4 61 46 53 29 00 00 24 2f d3 77 3e e9 e5 6c a7 Sep 21 07:16:31.435916: | 13 1f 5b 83 9e 85 08 83 4d 03 12 fc 99 e0 69 08 Sep 21 07:16:31.435917: | 88 80 f2 fc a8 2c 38 cc 29 00 00 08 00 00 40 2e Sep 21 07:16:31.435919: | 29 00 00 1c 00 00 40 04 7a d0 7a cc f1 19 bb 1d Sep 21 07:16:31.435920: | 11 c9 7b 93 3f 92 d6 f4 96 e4 b3 db 00 00 00 1c Sep 21 07:16:31.435921: | 00 00 40 05 58 6e 33 b5 37 63 77 ea 9a 70 23 69 Sep 21 07:16:31.435923: | 9c ae 54 25 25 62 c9 4d Sep 21 07:16:31.435926: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:16:31.435928: | **parse ISAKMP Message: Sep 21 07:16:31.435929: | initiator cookie: Sep 21 07:16:31.435931: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:31.435932: | responder cookie: Sep 21 07:16:31.435934: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.435935: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:31.435937: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.435939: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:16:31.435940: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:31.435942: | Message ID: 0 (0x0) Sep 21 07:16:31.435943: | length: 440 (0x1b8) Sep 21 07:16:31.435945: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Sep 21 07:16:31.435947: | I am the IKE SA Original Initiator receiving an IKEv2 IKE_SA_INIT response Sep 21 07:16:31.435952: | State DB: found IKEv2 state #1 in PARENT_I1 (find_v2_ike_sa_by_initiator_spi) Sep 21 07:16:31.435957: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:31.435960: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2062) Sep 21 07:16:31.435961: | #1 is idle Sep 21 07:16:31.435963: | #1 idle Sep 21 07:16:31.435964: | unpacking clear payload Sep 21 07:16:31.435966: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:16:31.435968: | ***parse IKEv2 Security Association Payload: Sep 21 07:16:31.435970: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:16:31.435971: | flags: none (0x0) Sep 21 07:16:31.435973: | length: 48 (0x30) Sep 21 07:16:31.435974: | processing payload: ISAKMP_NEXT_v2SA (len=44) Sep 21 07:16:31.435976: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:16:31.435977: | ***parse IKEv2 Key Exchange Payload: Sep 21 07:16:31.435979: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:16:31.435980: | flags: none (0x0) Sep 21 07:16:31.435982: | length: 264 (0x108) Sep 21 07:16:31.435983: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:31.435985: | processing payload: ISAKMP_NEXT_v2KE (len=256) Sep 21 07:16:31.435986: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:16:31.435987: | ***parse IKEv2 Nonce Payload: Sep 21 07:16:31.435989: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:31.435990: | flags: none (0x0) Sep 21 07:16:31.435992: | length: 36 (0x24) Sep 21 07:16:31.435993: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:16:31.435995: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:31.435996: | ***parse IKEv2 Notify Payload: Sep 21 07:16:31.435998: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:31.435999: | flags: none (0x0) Sep 21 07:16:31.436000: | length: 8 (0x8) Sep 21 07:16:31.436002: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.436003: | SPI size: 0 (0x0) Sep 21 07:16:31.436005: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:16:31.436007: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:16:31.436008: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:31.436010: | ***parse IKEv2 Notify Payload: Sep 21 07:16:31.436011: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:16:31.436012: | flags: none (0x0) Sep 21 07:16:31.436014: | length: 28 (0x1c) Sep 21 07:16:31.436015: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.436017: | SPI size: 0 (0x0) Sep 21 07:16:31.436018: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:16:31.436020: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:16:31.436021: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:16:31.436022: | ***parse IKEv2 Notify Payload: Sep 21 07:16:31.436024: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.436025: | flags: none (0x0) Sep 21 07:16:31.436027: | length: 28 (0x1c) Sep 21 07:16:31.436028: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:16:31.436029: | SPI size: 0 (0x0) Sep 21 07:16:31.436031: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:16:31.436032: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:16:31.436034: | State DB: re-hashing IKEv2 state #1 IKE SPIi and SPI[ir] Sep 21 07:16:31.436036: | #1 in state PARENT_I1: sent v2I1, expected v2R1 Sep 21 07:16:31.436038: | selected state microcode Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH Sep 21 07:16:31.436040: | Now let's proceed with state specific processing Sep 21 07:16:31.436041: | calling processor Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH Sep 21 07:16:31.436044: | ikev2 parent inR1: calculating g^{xy} in order to send I2 Sep 21 07:16:31.436048: | using existing local IKE proposals for connection north-eastnets/0x2 (IKE SA initiator accepting remote proposal): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Sep 21 07:16:31.436051: | Comparing remote proposals against IKE initiator (accepting) 1 local proposals Sep 21 07:16:31.436054: | local proposal 1 type ENCR has 1 transforms Sep 21 07:16:31.436056: | local proposal 1 type PRF has 1 transforms Sep 21 07:16:31.436057: | local proposal 1 type INTEG has 1 transforms Sep 21 07:16:31.436059: | local proposal 1 type DH has 1 transforms Sep 21 07:16:31.436060: | local proposal 1 type ESN has 0 transforms Sep 21 07:16:31.436062: | local proposal 1 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:16:31.436064: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.436066: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.436067: | length: 44 (0x2c) Sep 21 07:16:31.436068: | prop #: 1 (0x1) Sep 21 07:16:31.436070: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:16:31.436071: | spi size: 0 (0x0) Sep 21 07:16:31.436073: | # transforms: 4 (0x4) Sep 21 07:16:31.436075: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Sep 21 07:16:31.436077: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.436078: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.436080: | length: 12 (0xc) Sep 21 07:16:31.436081: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.436083: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.436084: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.436086: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.436087: | length/value: 256 (0x100) Sep 21 07:16:31.436090: | remote proposal 1 transform 0 (ENCR=AES_CBC_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:16:31.436092: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.436093: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.436095: | length: 8 (0x8) Sep 21 07:16:31.436096: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:16:31.436098: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:16:31.436100: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_256) matches local proposal 1 type 2 (PRF) transform 0 Sep 21 07:16:31.436101: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.436103: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.436104: | length: 8 (0x8) Sep 21 07:16:31.436105: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.436107: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:16:31.436109: | remote proposal 1 transform 2 (INTEG=HMAC_SHA2_256_128) matches local proposal 1 type 3 (INTEG) transform 0 Sep 21 07:16:31.436110: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.436112: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.436113: | length: 8 (0x8) Sep 21 07:16:31.436115: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:31.436116: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:16:31.436118: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:16:31.436120: | remote proposal 1 proposed transforms: ENCR+PRF+INTEG+DH; matched: ENCR+PRF+INTEG+DH; unmatched: none Sep 21 07:16:31.436123: | comparing remote proposal 1 containing ENCR+PRF+INTEG+DH transforms to local proposal 1; required: ENCR+PRF+INTEG+DH; optional: none; matched: ENCR+PRF+INTEG+DH Sep 21 07:16:31.436125: | remote proposal 1 matches local proposal 1 Sep 21 07:16:31.436127: | remote accepted the proposal 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] Sep 21 07:16:31.436128: | converting proposal to internal trans attrs Sep 21 07:16:31.436140: | natd_hash: hasher=0x563a1fff67a0(20) Sep 21 07:16:31.436142: | natd_hash: icookie= cc 16 75 8d 92 e6 25 81 Sep 21 07:16:31.436144: | natd_hash: rcookie= 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.436146: | natd_hash: ip= c0 01 02 17 Sep 21 07:16:31.436148: | natd_hash: port= 01 f4 Sep 21 07:16:31.436149: | natd_hash: hash= 58 6e 33 b5 37 63 77 ea 9a 70 23 69 9c ae 54 25 Sep 21 07:16:31.436151: | natd_hash: hash= 25 62 c9 4d Sep 21 07:16:31.436154: | natd_hash: hasher=0x563a1fff67a0(20) Sep 21 07:16:31.436156: | natd_hash: icookie= cc 16 75 8d 92 e6 25 81 Sep 21 07:16:31.436157: | natd_hash: rcookie= 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.436158: | natd_hash: ip= c0 01 03 21 Sep 21 07:16:31.436160: | natd_hash: port= 01 f4 Sep 21 07:16:31.436161: | natd_hash: hash= 7a d0 7a cc f1 19 bb 1d 11 c9 7b 93 3f 92 d6 f4 Sep 21 07:16:31.436162: | natd_hash: hash= 96 e4 b3 db Sep 21 07:16:31.436164: | NAT_TRAVERSAL encaps using auto-detect Sep 21 07:16:31.436165: | NAT_TRAVERSAL this end is NOT behind NAT Sep 21 07:16:31.436167: | NAT_TRAVERSAL that end is NOT behind NAT Sep 21 07:16:31.436169: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Sep 21 07:16:31.436171: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_256 integ=HMAC_SHA2_256_128 cipherkey=AES_CBC Sep 21 07:16:31.436173: | adding ikev2_inR1outI2 KE work-order 4 for state #1 Sep 21 07:16:31.436175: | state #1 requesting EVENT_RETRANSMIT to be deleted Sep 21 07:16:31.436177: | #1 STATE_PARENT_I1: retransmits: cleared Sep 21 07:16:31.436180: | libevent_free: release ptr-libevent@0x7f7804000f40 Sep 21 07:16:31.436181: | free_event_entry: release EVENT_RETRANSMIT-pe@0x563a20998d50 Sep 21 07:16:31.436183: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563a20998d50 Sep 21 07:16:31.436186: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:16:31.436187: | libevent_malloc: new ptr-libevent@0x7f7804000f40 size 128 Sep 21 07:16:31.436195: | #1 spent 0.15 milliseconds in processing: Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH in ikev2_process_state_packet() Sep 21 07:16:31.436213: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.436216: | #1 complete_v2_state_transition() PARENT_I1->PARENT_I2 with status STF_SUSPEND Sep 21 07:16:31.436217: | suspending state #1 and saving MD Sep 21 07:16:31.436219: | #1 is busy; has a suspended MD Sep 21 07:16:31.436221: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:31.436221: | crypto helper 5 resuming Sep 21 07:16:31.436232: | crypto helper 5 starting work-order 4 for state #1 Sep 21 07:16:31.436223: | "north-eastnets/0x2" #1 complete v2 state STATE_PARENT_I1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:31.436235: | crypto helper 5 doing compute dh (V2) (ikev2_inR1outI2 KE); request ID 4 Sep 21 07:16:31.436242: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:31.436250: | #1 spent 0.367 milliseconds in ikev2_process_packet() Sep 21 07:16:31.436253: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:16:31.436255: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:31.436256: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:31.436259: | spent 0.376 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:31.436629: | spent 0.00151 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:31.436642: | *received 608 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:16:31.436645: | df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.436646: | 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:31.436648: | a4 23 61 b2 d7 8e 35 82 a3 e2 27 79 cf 92 d4 66 Sep 21 07:16:31.436649: | d7 de 98 5d e4 1b 7e 3e b0 b2 82 d3 48 ea 45 a5 Sep 21 07:16:31.436650: | 63 19 72 46 b8 f9 c3 c5 37 55 5d 59 12 6d c5 ae Sep 21 07:16:31.436652: | 00 76 8c 1f ee 4f 85 ef 88 c8 bc 76 de f7 11 c2 Sep 21 07:16:31.436655: | de 5e 3d 68 07 74 b7 d8 17 30 c8 85 83 c4 b9 d1 Sep 21 07:16:31.436656: | eb be 0e 4f df 4a fd 52 65 09 3d 97 8b cc 3e 8b Sep 21 07:16:31.436657: | 3b 47 9b aa b4 eb 89 49 4d 30 30 30 c5 99 a1 11 Sep 21 07:16:31.436659: | 3e 0a 7a c5 44 f6 40 17 0d 80 7d 69 de 56 57 ef Sep 21 07:16:31.436660: | 5a 5c 3c bd ad 56 c3 ca 50 93 65 8d 88 18 d0 d4 Sep 21 07:16:31.436662: | 16 b9 ef 5e aa 23 c4 c1 99 ad b1 d8 2e 32 b4 a1 Sep 21 07:16:31.436663: | d6 91 b0 4e 4e a1 60 52 97 62 c9 ae 29 e7 2f f6 Sep 21 07:16:31.436664: | a4 3c 26 96 20 71 fa 72 f1 e4 cc d0 27 08 6a ec Sep 21 07:16:31.436666: | 89 b0 58 d1 cf 01 45 e0 1f db b6 67 ae a1 ed 2f Sep 21 07:16:31.436667: | c0 f4 8d dd d2 62 e9 48 15 9f bb fd 4c 91 37 87 Sep 21 07:16:31.436668: | 31 f3 41 78 2a 00 8b 8c 9d 63 06 6d c3 8f f5 46 Sep 21 07:16:31.436670: | 4b 65 67 0a 05 14 14 f7 ae a9 69 f6 0b 66 9a e2 Sep 21 07:16:31.436671: | ba c5 95 be 9d d7 1d 95 b2 e5 44 2f 74 a2 61 9a Sep 21 07:16:31.436673: | d1 d1 39 91 9a e6 88 e4 f8 26 37 4e 6c 83 ac 09 Sep 21 07:16:31.436674: | 7d ba 07 36 1f 8c 81 07 75 51 f0 1c 71 b3 eb b4 Sep 21 07:16:31.436675: | 74 b7 5d 41 6d 06 3a d0 1a 7e 53 62 48 e9 ba c1 Sep 21 07:16:31.436677: | 69 c5 6e 0d be 77 d0 eb 0d 39 12 e5 88 d2 29 9c Sep 21 07:16:31.436678: | 2b bb ee ef 1b c0 ca 54 33 14 62 8d 2f a0 e7 8d Sep 21 07:16:31.436680: | 6c 31 17 89 33 52 e6 60 43 88 b8 54 21 f9 54 30 Sep 21 07:16:31.436681: | 01 f9 c3 23 b1 e7 ad 9e 75 44 78 36 65 76 6d 26 Sep 21 07:16:31.436682: | 91 72 a6 46 e4 a8 43 ac 1f 57 d0 4f 60 5e b4 a4 Sep 21 07:16:31.436684: | f3 f1 72 1a 1b 60 a8 42 76 40 18 31 29 98 ed 3f Sep 21 07:16:31.436685: | 75 2e 66 31 05 05 83 1a 01 92 04 47 b0 78 65 84 Sep 21 07:16:31.436687: | 41 b1 f1 97 59 c4 8a 7d c4 0f 92 b9 bb ea 69 3d Sep 21 07:16:31.436688: | 1b 86 39 d0 b6 2b 29 37 94 6f 18 7f 86 cc 30 5e Sep 21 07:16:31.436689: | 3f 28 b8 95 44 7a b7 fa 76 da 64 e2 e6 ee 02 11 Sep 21 07:16:31.436691: | 43 f6 25 ad 94 c8 6a 98 fb 6e b5 05 40 06 4f f4 Sep 21 07:16:31.436692: | a9 b0 6f fd 38 fa 89 40 79 60 e4 0f b7 8c 82 dc Sep 21 07:16:31.436693: | 78 4a 3e 39 22 6e ef 81 f4 59 cd 4a 09 a6 ab a7 Sep 21 07:16:31.436695: | 39 90 5f 88 19 f6 56 b3 35 5a d6 f2 03 cb 68 0b Sep 21 07:16:31.436696: | c8 2a 9e 96 35 01 81 b4 89 5f f4 fb b8 80 40 5c Sep 21 07:16:31.436698: | 42 5a 1d 94 22 97 61 a5 3e 9a 81 07 53 71 fe b6 Sep 21 07:16:31.436700: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:16:31.436702: | **parse ISAKMP Message: Sep 21 07:16:31.436704: | initiator cookie: Sep 21 07:16:31.436705: | df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.436707: | responder cookie: Sep 21 07:16:31.436708: | 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.436710: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:16:31.436711: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.436713: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Sep 21 07:16:31.436715: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:31.436716: | Message ID: 2 (0x2) Sep 21 07:16:31.436718: | length: 608 (0x260) Sep 21 07:16:31.436720: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Sep 21 07:16:31.436722: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Sep 21 07:16:31.436724: | State DB: found IKEv2 state #2 in PARENT_R2 (find_v2_ike_sa) Sep 21 07:16:31.436727: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:31.436729: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:16:31.436732: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:16:31.436734: | #2 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Sep 21 07:16:31.436736: | Message ID: #2 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Sep 21 07:16:31.436739: | unpacking clear payload Sep 21 07:16:31.436740: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:16:31.436742: | ***parse IKEv2 Encryption Payload: Sep 21 07:16:31.436744: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:31.436745: | flags: none (0x0) Sep 21 07:16:31.436747: | length: 580 (0x244) Sep 21 07:16:31.436748: | processing payload: ISAKMP_NEXT_v2SK (len=576) Sep 21 07:16:31.436751: | Message ID: start-responder #2 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Sep 21 07:16:31.436753: | #2 in state PARENT_R2: received v2I2, PARENT SA established Sep 21 07:16:31.436776: | data for hmac: df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.436778: | data for hmac: 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:31.436780: | data for hmac: a4 23 61 b2 d7 8e 35 82 a3 e2 27 79 cf 92 d4 66 Sep 21 07:16:31.436781: | data for hmac: d7 de 98 5d e4 1b 7e 3e b0 b2 82 d3 48 ea 45 a5 Sep 21 07:16:31.436788: | data for hmac: 63 19 72 46 b8 f9 c3 c5 37 55 5d 59 12 6d c5 ae Sep 21 07:16:31.436793: | data for hmac: 00 76 8c 1f ee 4f 85 ef 88 c8 bc 76 de f7 11 c2 Sep 21 07:16:31.436795: | data for hmac: de 5e 3d 68 07 74 b7 d8 17 30 c8 85 83 c4 b9 d1 Sep 21 07:16:31.436797: | data for hmac: eb be 0e 4f df 4a fd 52 65 09 3d 97 8b cc 3e 8b Sep 21 07:16:31.436800: | data for hmac: 3b 47 9b aa b4 eb 89 49 4d 30 30 30 c5 99 a1 11 Sep 21 07:16:31.436802: | data for hmac: 3e 0a 7a c5 44 f6 40 17 0d 80 7d 69 de 56 57 ef Sep 21 07:16:31.436804: | data for hmac: 5a 5c 3c bd ad 56 c3 ca 50 93 65 8d 88 18 d0 d4 Sep 21 07:16:31.436806: | data for hmac: 16 b9 ef 5e aa 23 c4 c1 99 ad b1 d8 2e 32 b4 a1 Sep 21 07:16:31.436808: | data for hmac: d6 91 b0 4e 4e a1 60 52 97 62 c9 ae 29 e7 2f f6 Sep 21 07:16:31.436810: | data for hmac: a4 3c 26 96 20 71 fa 72 f1 e4 cc d0 27 08 6a ec Sep 21 07:16:31.436812: | data for hmac: 89 b0 58 d1 cf 01 45 e0 1f db b6 67 ae a1 ed 2f Sep 21 07:16:31.436815: | data for hmac: c0 f4 8d dd d2 62 e9 48 15 9f bb fd 4c 91 37 87 Sep 21 07:16:31.436817: | data for hmac: 31 f3 41 78 2a 00 8b 8c 9d 63 06 6d c3 8f f5 46 Sep 21 07:16:31.436819: | data for hmac: 4b 65 67 0a 05 14 14 f7 ae a9 69 f6 0b 66 9a e2 Sep 21 07:16:31.436820: | data for hmac: ba c5 95 be 9d d7 1d 95 b2 e5 44 2f 74 a2 61 9a Sep 21 07:16:31.436825: | data for hmac: d1 d1 39 91 9a e6 88 e4 f8 26 37 4e 6c 83 ac 09 Sep 21 07:16:31.436829: | data for hmac: 7d ba 07 36 1f 8c 81 07 75 51 f0 1c 71 b3 eb b4 Sep 21 07:16:31.436833: | data for hmac: 74 b7 5d 41 6d 06 3a d0 1a 7e 53 62 48 e9 ba c1 Sep 21 07:16:31.436836: | data for hmac: 69 c5 6e 0d be 77 d0 eb 0d 39 12 e5 88 d2 29 9c Sep 21 07:16:31.436838: | data for hmac: 2b bb ee ef 1b c0 ca 54 33 14 62 8d 2f a0 e7 8d Sep 21 07:16:31.436842: | data for hmac: 6c 31 17 89 33 52 e6 60 43 88 b8 54 21 f9 54 30 Sep 21 07:16:31.436844: | data for hmac: 01 f9 c3 23 b1 e7 ad 9e 75 44 78 36 65 76 6d 26 Sep 21 07:16:31.436845: | data for hmac: 91 72 a6 46 e4 a8 43 ac 1f 57 d0 4f 60 5e b4 a4 Sep 21 07:16:31.436847: | data for hmac: f3 f1 72 1a 1b 60 a8 42 76 40 18 31 29 98 ed 3f Sep 21 07:16:31.436820: | calculating skeyseed using prf=sha2_256 integ=sha2_256 cipherkey-size=32 salt-size=0 Sep 21 07:16:31.436848: | data for hmac: 75 2e 66 31 05 05 83 1a 01 92 04 47 b0 78 65 84 Sep 21 07:16:31.436857: | data for hmac: 41 b1 f1 97 59 c4 8a 7d c4 0f 92 b9 bb ea 69 3d Sep 21 07:16:31.436858: | data for hmac: 1b 86 39 d0 b6 2b 29 37 94 6f 18 7f 86 cc 30 5e Sep 21 07:16:31.436860: | data for hmac: 3f 28 b8 95 44 7a b7 fa 76 da 64 e2 e6 ee 02 11 Sep 21 07:16:31.436861: | data for hmac: 43 f6 25 ad 94 c8 6a 98 fb 6e b5 05 40 06 4f f4 Sep 21 07:16:31.436863: | data for hmac: a9 b0 6f fd 38 fa 89 40 79 60 e4 0f b7 8c 82 dc Sep 21 07:16:31.436864: | data for hmac: 78 4a 3e 39 22 6e ef 81 f4 59 cd 4a 09 a6 ab a7 Sep 21 07:16:31.436871: | data for hmac: 39 90 5f 88 19 f6 56 b3 35 5a d6 f2 03 cb 68 0b Sep 21 07:16:31.436872: | data for hmac: c8 2a 9e 96 35 01 81 b4 89 5f f4 fb b8 80 40 5c Sep 21 07:16:31.436874: | calculated auth: 42 5a 1d 94 22 97 61 a5 3e 9a 81 07 53 71 fe b6 Sep 21 07:16:31.436875: | provided auth: 42 5a 1d 94 22 97 61 a5 3e 9a 81 07 53 71 fe b6 Sep 21 07:16:31.436877: | authenticator matched Sep 21 07:16:31.436885: | #2 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success Sep 21 07:16:31.436887: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:16:31.436888: | **parse IKEv2 Security Association Payload: Sep 21 07:16:31.436890: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:16:31.436892: | flags: none (0x0) Sep 21 07:16:31.436893: | length: 52 (0x34) Sep 21 07:16:31.436895: | processing payload: ISAKMP_NEXT_v2SA (len=48) Sep 21 07:16:31.436896: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:16:31.436898: | **parse IKEv2 Nonce Payload: Sep 21 07:16:31.436899: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:16:31.436901: | flags: none (0x0) Sep 21 07:16:31.436902: | length: 36 (0x24) Sep 21 07:16:31.436903: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:16:31.436905: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:16:31.436906: | **parse IKEv2 Key Exchange Payload: Sep 21 07:16:31.436908: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:16:31.436909: | flags: none (0x0) Sep 21 07:16:31.436911: | length: 392 (0x188) Sep 21 07:16:31.436912: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:31.436914: | processing payload: ISAKMP_NEXT_v2KE (len=384) Sep 21 07:16:31.436915: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:16:31.436917: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:31.436918: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:16:31.436919: | flags: none (0x0) Sep 21 07:16:31.436921: | length: 24 (0x18) Sep 21 07:16:31.436922: | number of TS: 1 (0x1) Sep 21 07:16:31.436924: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:16:31.436925: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:16:31.436927: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:31.436928: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.436930: | flags: none (0x0) Sep 21 07:16:31.436931: | length: 24 (0x18) Sep 21 07:16:31.436932: | number of TS: 1 (0x1) Sep 21 07:16:31.436934: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:16:31.436936: | state #2 forced to match CREATE_CHILD_SA from V2_CREATE_R->V2_IPSEC_R by ignoring from state Sep 21 07:16:31.436937: | selected state microcode Respond to CREATE_CHILD_SA IPsec SA Request Sep 21 07:16:31.436941: | #2 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:16:31.436944: | creating state object #4 at 0x563a209a0390 Sep 21 07:16:31.436946: | State DB: adding IKEv2 state #4 in UNDEFINED Sep 21 07:16:31.436948: | pstats #4 ikev2.child started Sep 21 07:16:31.436950: | duplicating state object #2 "north-eastnets/0x2" as #4 for IPSEC SA Sep 21 07:16:31.436953: | #4 setting local endpoint to 192.1.2.23:500 from #2.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:16:31.436956: | Message ID: init_child #2.#4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:31.436959: | child state #4: UNDEFINED(ignore) => V2_CREATE_R(established IKE SA) Sep 21 07:16:31.436962: | "north-eastnets/0x2" #2 received Child SA Request CREATE_CHILD_SA from 192.1.3.33:500 Child "north-eastnets/0x2" #4 in STATE_V2_CREATE_R will process it further Sep 21 07:16:31.436964: | Message ID: switch-from #2 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2->-1 Sep 21 07:16:31.436968: | Message ID: switch-to #2.#4 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1->2 Sep 21 07:16:31.436970: | forcing ST #2 to CHILD #2.#4 in FSM processor Sep 21 07:16:31.436971: | Now let's proceed with state specific processing Sep 21 07:16:31.436973: | calling processor Respond to CREATE_CHILD_SA IPsec SA Request Sep 21 07:16:31.436976: | create child proposal's DH changed from no-PFS to MODP2048, flushing Sep 21 07:16:31.436978: | constructing ESP/AH proposals with default DH MODP2048 for north-eastnets/0x2 (CREATE_CHILD_SA responder matching remote ESP/AH proposals) Sep 21 07:16:31.436981: | converting proposal AES_CBC_128-HMAC_SHA2_512_256-MODP3072 to ikev2 ... Sep 21 07:16:31.436984: | ... ikev2_proposal: 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Sep 21 07:16:31.436987: "north-eastnets/0x2": constructed local ESP/AH proposals for north-eastnets/0x2 (CREATE_CHILD_SA responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Sep 21 07:16:31.436989: | Comparing remote proposals against CREATE_CHILD_SA responder matching remote ESP/AH proposals 1 local proposals Sep 21 07:16:31.436993: | local proposal 1 type ENCR has 1 transforms Sep 21 07:16:31.436994: | local proposal 1 type PRF has 0 transforms Sep 21 07:16:31.436996: | local proposal 1 type INTEG has 1 transforms Sep 21 07:16:31.436997: | local proposal 1 type DH has 1 transforms Sep 21 07:16:31.436999: | local proposal 1 type ESN has 1 transforms Sep 21 07:16:31.437001: | local proposal 1 transforms: required: ENCR+INTEG+DH+ESN; optional: none Sep 21 07:16:31.437003: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.437004: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.437006: | length: 48 (0x30) Sep 21 07:16:31.437007: | prop #: 1 (0x1) Sep 21 07:16:31.437009: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.437010: | spi size: 4 (0x4) Sep 21 07:16:31.437012: | # transforms: 4 (0x4) Sep 21 07:16:31.437014: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:16:31.437015: | remote SPI c8 d0 fe 50 Sep 21 07:16:31.437017: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Sep 21 07:16:31.437019: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.437020: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.437022: | length: 12 (0xc) Sep 21 07:16:31.437023: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.437025: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.437026: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.437028: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.437030: | length/value: 128 (0x80) Sep 21 07:16:31.437032: | remote proposal 1 transform 0 (ENCR=AES_CBC_128) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:16:31.437034: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.437035: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.437037: | length: 8 (0x8) Sep 21 07:16:31.437038: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.437040: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:31.437042: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_512_256) matches local proposal 1 type 3 (INTEG) transform 0 Sep 21 07:16:31.437043: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.437045: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.437046: | length: 8 (0x8) Sep 21 07:16:31.437048: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:31.437049: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:31.437051: | remote proposal 1 transform 2 (DH=MODP3072) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:16:31.437053: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.437054: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.437057: | length: 8 (0x8) Sep 21 07:16:31.437058: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.437060: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.437062: | remote proposal 1 transform 3 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:16:31.437064: | remote proposal 1 proposed transforms: ENCR+INTEG+DH+ESN; matched: ENCR+INTEG+DH+ESN; unmatched: none Sep 21 07:16:31.437067: | comparing remote proposal 1 containing ENCR+INTEG+DH+ESN transforms to local proposal 1; required: ENCR+INTEG+DH+ESN; optional: none; matched: ENCR+INTEG+DH+ESN Sep 21 07:16:31.437068: | remote proposal 1 matches local proposal 1 Sep 21 07:16:31.437071: "north-eastnets/0x2" #2: proposal 1:ESP:SPI=c8d0fe50;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED[first-match] Sep 21 07:16:31.437074: | CREATE_CHILD_SA responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=c8d0fe50;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Sep 21 07:16:31.437076: | converting proposal to internal trans attrs Sep 21 07:16:31.437079: | updating #4's .st_oakley with preserved PRF, but why update? Sep 21 07:16:31.437082: | Child SA TS Request has child->sa == md->st; so using child connection Sep 21 07:16:31.437084: | TSi: parsing 1 traffic selectors Sep 21 07:16:31.437086: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:31.437087: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.437089: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.437090: | length: 16 (0x10) Sep 21 07:16:31.437092: | start port: 0 (0x0) Sep 21 07:16:31.437093: | end port: 65535 (0xffff) Sep 21 07:16:31.437095: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:31.437096: | TS low c0 00 03 00 Sep 21 07:16:31.437098: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:31.437100: | TS high c0 00 03 ff Sep 21 07:16:31.437101: | TSi: parsed 1 traffic selectors Sep 21 07:16:31.437103: | TSr: parsing 1 traffic selectors Sep 21 07:16:31.437104: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:31.437105: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.437107: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.437108: | length: 16 (0x10) Sep 21 07:16:31.437110: | start port: 0 (0x0) Sep 21 07:16:31.437111: | end port: 65535 (0xffff) Sep 21 07:16:31.437112: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:31.437114: | TS low c0 00 16 00 Sep 21 07:16:31.437115: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:31.437117: | TS high c0 00 16 ff Sep 21 07:16:31.437118: | TSr: parsed 1 traffic selectors Sep 21 07:16:31.437120: | looking for best SPD in current connection Sep 21 07:16:31.437123: | evaluating our conn="north-eastnets/0x2" I=192.0.3.0/24:0:0/0 R=192.0.22.0/24:0:0/0 to their: Sep 21 07:16:31.437127: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.437131: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:16:31.437132: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:31.437134: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:31.437136: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:31.437138: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.437141: | TSr[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.437144: | match address end->client=192.0.22.0/24 == TSr[0]net=192.0.22.0-192.0.22.255: YES fitness 32 Sep 21 07:16:31.437146: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:16:31.437147: | TSr[0] port match: YES fitness 65536 Sep 21 07:16:31.437149: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:16:31.437150: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.437154: | best fit so far: TSi[0] TSr[0] Sep 21 07:16:31.437155: | crypto helper 5 finished compute dh (V2) (ikev2_inR1outI2 KE); request ID 4 time elapsed 0.000919 seconds Sep 21 07:16:31.437156: | found better spd route for TSi[0],TSr[0] Sep 21 07:16:31.437163: | (#1) spent 0.896 milliseconds in crypto helper computing work-order 4: ikev2_inR1outI2 KE (pcr) Sep 21 07:16:31.437167: | crypto helper 5 sending results from work-order 4 for state #1 to event queue Sep 21 07:16:31.437170: | scheduling resume sending helper answer for #1 Sep 21 07:16:31.437163: | looking for better host pair Sep 21 07:16:31.437173: | libevent_malloc: new ptr-libevent@0x7f77f8003060 size 128 Sep 21 07:16:31.437178: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:16:31.437180: | libevent_realloc: release ptr-libevent@0x563a2096f860 Sep 21 07:16:31.437182: | libevent_realloc: new ptr-libevent@0x563a2098c3f0 size 128 Sep 21 07:16:31.437182: | checking hostpair 192.0.22.0/24:0 -> 192.0.3.0/24:0 is found Sep 21 07:16:31.437187: | crypto helper 5 waiting (nothing to do) Sep 21 07:16:31.437187: | investigating connection "north-eastnets/0x2" as a better match Sep 21 07:16:31.437193: | match_id a=@north Sep 21 07:16:31.437194: | b=@north Sep 21 07:16:31.437196: | results matched Sep 21 07:16:31.437199: | evaluating our conn="north-eastnets/0x2" I=192.0.3.0/24:0:0/0 R=192.0.22.0/24:0:0/0 to their: Sep 21 07:16:31.437202: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.437205: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:16:31.437207: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:31.437208: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:31.437210: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:31.437212: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.437214: | TSr[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.437217: | match address end->client=192.0.22.0/24 == TSr[0]net=192.0.22.0-192.0.22.255: YES fitness 32 Sep 21 07:16:31.437219: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:16:31.437221: | TSr[0] port match: YES fitness 65536 Sep 21 07:16:31.437222: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:16:31.437224: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.437225: | best fit so far: TSi[0] TSr[0] Sep 21 07:16:31.437227: | investigating connection "north-eastnets/0x1" as a better match Sep 21 07:16:31.437228: | match_id a=@north Sep 21 07:16:31.437230: | b=@north Sep 21 07:16:31.437231: | results matched Sep 21 07:16:31.437234: | evaluating our conn="north-eastnets/0x1" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:16:31.437237: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.437240: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:16:31.437242: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:31.437243: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:31.437245: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:31.437246: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.437249: | TSr[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.437252: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.22.0-192.0.22.255: NO Sep 21 07:16:31.437254: | did not find a better connection using host pair Sep 21 07:16:31.437255: | printing contents struct traffic_selector Sep 21 07:16:31.437257: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:16:31.437258: | ipprotoid: 0 Sep 21 07:16:31.437259: | port range: 0-65535 Sep 21 07:16:31.437263: | ip range: 192.0.22.0-192.0.22.255 Sep 21 07:16:31.437264: | printing contents struct traffic_selector Sep 21 07:16:31.437266: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:16:31.437267: | ipprotoid: 0 Sep 21 07:16:31.437268: | port range: 0-65535 Sep 21 07:16:31.437284: | ip range: 192.0.3.0-192.0.3.255 Sep 21 07:16:31.437286: | adding Child Responder KE and nonce nr work-order 5 for state #4 Sep 21 07:16:31.437288: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f7808002b20 Sep 21 07:16:31.437290: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 Sep 21 07:16:31.437307: | libevent_malloc: new ptr-libevent@0x7f7808006900 size 128 Sep 21 07:16:31.437314: | #4 spent 0.329 milliseconds in processing: Respond to CREATE_CHILD_SA IPsec SA Request in ikev2_process_state_packet() Sep 21 07:16:31.437318: | suspend processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.437320: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.437320: | crypto helper 1 resuming Sep 21 07:16:31.437323: | #4 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_SUSPEND Sep 21 07:16:31.437333: | crypto helper 1 starting work-order 5 for state #4 Sep 21 07:16:31.437334: | suspending state #4 and saving MD Sep 21 07:16:31.437339: | #4 is busy; has a suspended MD Sep 21 07:16:31.437339: | crypto helper 1 doing build KE and nonce (Child Responder KE and nonce nr); request ID 5 Sep 21 07:16:31.437344: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:31.437351: | "north-eastnets/0x2" #4 complete v2 state STATE_V2_CREATE_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:31.437353: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:31.437356: | #2 spent 0.695 milliseconds in ikev2_process_packet() Sep 21 07:16:31.437359: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:16:31.437361: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:31.437362: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:31.437365: | spent 0.703 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:31.437370: | processing resume sending helper answer for #1 Sep 21 07:16:31.437373: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:16:31.437375: | crypto helper 5 replies to request ID 4 Sep 21 07:16:31.437376: | calling continuation function 0x563a1ff20630 Sep 21 07:16:31.437378: | ikev2_parent_inR1outI2_continue for #1: calculating g^{xy}, sending I2 Sep 21 07:16:31.437383: | creating state object #5 at 0x563a209a1d40 Sep 21 07:16:31.437385: | State DB: adding IKEv2 state #5 in UNDEFINED Sep 21 07:16:31.437387: | pstats #5 ikev2.child started Sep 21 07:16:31.437388: | duplicating state object #1 "north-eastnets/0x2" as #5 for IPSEC SA Sep 21 07:16:31.437391: | #5 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:16:31.437395: | Message ID: init_child #1.#5; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:31.437397: | Message ID: switch-from #1 response 0; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=0->-1 wip.responder=-1 Sep 21 07:16:31.437400: | Message ID: switch-to #1.#5 response 0; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->0 wip.responder=-1 Sep 21 07:16:31.437402: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:31.437404: | libevent_free: release ptr-libevent@0x7f7804000f40 Sep 21 07:16:31.437407: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563a20998d50 Sep 21 07:16:31.437408: | event_schedule: new EVENT_SA_REPLACE-pe@0x563a20998d50 Sep 21 07:16:31.437411: | inserting event EVENT_SA_REPLACE, timeout in 60 seconds for #1 Sep 21 07:16:31.437412: | libevent_malloc: new ptr-libevent@0x7f7804000f40 size 128 Sep 21 07:16:31.437414: | parent state #1: PARENT_I1(half-open IKE SA) => PARENT_I2(open IKE SA) Sep 21 07:16:31.437418: | **emit ISAKMP Message: Sep 21 07:16:31.437420: | initiator cookie: Sep 21 07:16:31.437421: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:31.437423: | responder cookie: Sep 21 07:16:31.437424: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.437426: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:31.437427: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.437429: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:16:31.437431: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:31.437432: | Message ID: 1 (0x1) Sep 21 07:16:31.437434: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:31.437436: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:31.437437: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.437439: | flags: none (0x0) Sep 21 07:16:31.437441: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:31.437443: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.437445: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:31.437451: | IKEv2 CERT: send a certificate? Sep 21 07:16:31.437453: | IKEv2 CERT: no certificate to send Sep 21 07:16:31.437455: | IDr payload will be sent Sep 21 07:16:31.437473: | ****emit IKEv2 Identification - Initiator - Payload: Sep 21 07:16:31.437477: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.437480: | flags: none (0x0) Sep 21 07:16:31.437483: | ID type: ID_FQDN (0x2) Sep 21 07:16:31.437486: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Initiator - Payload (35:ISAKMP_NEXT_v2IDi) Sep 21 07:16:31.437490: | next payload chain: saving location 'IKEv2 Identification - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.437493: | emitting 4 raw bytes of my identity into IKEv2 Identification - Initiator - Payload Sep 21 07:16:31.437496: | my identity 65 61 73 74 Sep 21 07:16:31.437499: | emitting length of IKEv2 Identification - Initiator - Payload: 12 Sep 21 07:16:31.437508: | ****emit IKEv2 Identification - Responder - Payload: Sep 21 07:16:31.437511: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Sep 21 07:16:31.437514: | flags: none (0x0) Sep 21 07:16:31.437517: | ID type: ID_FQDN (0x2) Sep 21 07:16:31.437521: | next payload chain: ignoring supplied 'IKEv2 Identification - Responder - Payload'.'next payload type' value 39:ISAKMP_NEXT_v2AUTH Sep 21 07:16:31.437524: | next payload chain: setting previous 'IKEv2 Identification - Initiator - Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Sep 21 07:16:31.437527: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.437531: | emitting 5 raw bytes of IDr into IKEv2 Identification - Responder - Payload Sep 21 07:16:31.437533: | IDr 6e 6f 72 74 68 Sep 21 07:16:31.437536: | emitting length of IKEv2 Identification - Responder - Payload: 13 Sep 21 07:16:31.437539: | not sending INITIAL_CONTACT Sep 21 07:16:31.437542: | ****emit IKEv2 Authentication Payload: Sep 21 07:16:31.437545: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.437548: | flags: none (0x0) Sep 21 07:16:31.437551: | auth method: IKEv2_AUTH_RSA (0x1) Sep 21 07:16:31.437554: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Sep 21 07:16:31.437560: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.437566: | started looking for secret for @east->@north of kind PKK_RSA Sep 21 07:16:31.437569: | actually looking for secret for @east->@north of kind PKK_RSA Sep 21 07:16:31.437573: | line 1: key type PKK_RSA(@east) to type PKK_RSA Sep 21 07:16:31.437576: | 1: compared key (none) to @east / @north -> 002 Sep 21 07:16:31.437578: | 2: compared key (none) to @east / @north -> 002 Sep 21 07:16:31.437581: | line 1: match=002 Sep 21 07:16:31.437583: | match 002 beats previous best_match 000 match=0x563a209811e0 (line=1) Sep 21 07:16:31.437586: | concluding with best_match=002 best=0x563a209811e0 (lineno=1) Sep 21 07:16:31.438883: | crypto helper 1 finished build KE and nonce (Child Responder KE and nonce nr); request ID 5 time elapsed 0.001543 seconds Sep 21 07:16:31.438894: | (#4) spent 1.53 milliseconds in crypto helper computing work-order 5: Child Responder KE and nonce nr (pcr) Sep 21 07:16:31.438897: | crypto helper 1 sending results from work-order 5 for state #4 to event queue Sep 21 07:16:31.438899: | scheduling resume sending helper answer for #4 Sep 21 07:16:31.438901: | libevent_malloc: new ptr-libevent@0x7f77fc005780 size 128 Sep 21 07:16:31.438905: | crypto helper 1 waiting (nothing to do) Sep 21 07:16:31.440752: | #1 spent 3.13 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA() Sep 21 07:16:31.440760: | emitting 274 raw bytes of rsa signature into IKEv2 Authentication Payload Sep 21 07:16:31.440763: | rsa signature a4 7a 3e f4 9d de 24 fa 4a 0c 5d 5c f0 5d b2 48 Sep 21 07:16:31.440764: | rsa signature ea 64 b0 c8 28 c2 a1 23 68 81 d1 19 c5 3c 92 63 Sep 21 07:16:31.440765: | rsa signature 28 22 d4 0e 2b 73 73 00 0f 12 94 3e aa 6a b9 23 Sep 21 07:16:31.440767: | rsa signature 28 da 72 59 7d 82 58 ee cb 43 59 e3 2d b0 32 33 Sep 21 07:16:31.440768: | rsa signature 4b 95 97 41 fb 77 3a 80 cf ad cc f8 db 4b 8d ce Sep 21 07:16:31.440770: | rsa signature 3f 9d fb b7 01 19 07 93 2c 63 69 88 50 33 5b 91 Sep 21 07:16:31.440771: | rsa signature 14 30 c3 0d 89 e2 33 48 36 64 9a 89 9f 3e c3 cf Sep 21 07:16:31.440772: | rsa signature aa b5 36 be 49 b6 f5 e5 92 d5 10 6f b9 84 fc 81 Sep 21 07:16:31.440774: | rsa signature 90 de 34 89 18 2c ab a3 0a 5b f1 17 dc 51 ac 18 Sep 21 07:16:31.440775: | rsa signature 2e ce 66 73 b6 20 0d 7a 9f 69 04 2b 85 c0 38 5c Sep 21 07:16:31.440777: | rsa signature f7 39 54 0a 30 af ce 65 e6 4e 31 17 b6 3a ac 34 Sep 21 07:16:31.440778: | rsa signature 16 1b cd c9 8c 51 07 75 aa 76 05 8a 69 bc 47 88 Sep 21 07:16:31.440779: | rsa signature 81 a6 00 7b 32 15 6c 68 dd ac a6 9b a7 52 99 20 Sep 21 07:16:31.440781: | rsa signature d0 cb 10 3e de 9c 18 30 6b 99 8c 31 81 12 66 bd Sep 21 07:16:31.440803: | rsa signature ed 59 4a 55 20 1c 27 5a 91 92 b8 93 21 c9 ba d3 Sep 21 07:16:31.440806: | rsa signature 06 85 aa 3b 9c 09 00 bd 5a 3d d1 dd cc f0 66 06 Sep 21 07:16:31.440807: | rsa signature 06 01 8d 37 8a 86 75 78 ab 6b 4e bc b8 1c e8 21 Sep 21 07:16:31.440809: | rsa signature bd c7 Sep 21 07:16:31.440812: | #1 spent 3.2 milliseconds in ikev2_calculate_rsa_hash() Sep 21 07:16:31.440814: | emitting length of IKEv2 Authentication Payload: 282 Sep 21 07:16:31.440816: | getting first pending from state #1 Sep 21 07:16:31.440818: | Switching Child connection for #5 to "north-eastnets/0x1" from "north-eastnets/0x2" Sep 21 07:16:31.440821: | in connection_discard for connection north-eastnets/0x2 Sep 21 07:16:31.440850: | netlink_get_spi: allocated 0x4066dd7c for esp.0@192.1.2.23 Sep 21 07:16:31.440855: | using existing local ESP/AH proposals for north-eastnets/0x1 (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED Sep 21 07:16:31.440856: | Emitting ikev2_proposals ... Sep 21 07:16:31.440858: | ****emit IKEv2 Security Association Payload: Sep 21 07:16:31.440863: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.440865: | flags: none (0x0) Sep 21 07:16:31.440868: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:31.440870: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.440871: | discarding DH=NONE Sep 21 07:16:31.440873: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.440875: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.440877: | prop #: 1 (0x1) Sep 21 07:16:31.440878: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.440879: | spi size: 4 (0x4) Sep 21 07:16:31.440881: | # transforms: 3 (0x3) Sep 21 07:16:31.440883: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:31.440884: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:16:31.440886: | our spi 40 66 dd 7c Sep 21 07:16:31.440888: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.440889: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.440891: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.440892: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.440894: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.440896: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.440897: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.440899: | length/value: 128 (0x80) Sep 21 07:16:31.440901: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:31.440902: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.440904: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.440905: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.440907: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:31.440908: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.440910: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.440912: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.440913: | discarding DH=NONE Sep 21 07:16:31.440915: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.440916: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.440918: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.440919: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.440921: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.440922: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.440924: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.440925: | emitting length of IKEv2 Proposal Substructure Payload: 40 Sep 21 07:16:31.440927: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:31.440929: | emitting length of IKEv2 Security Association Payload: 44 Sep 21 07:16:31.440930: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:31.440933: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:31.440934: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.440936: | flags: none (0x0) Sep 21 07:16:31.440937: | number of TS: 1 (0x1) Sep 21 07:16:31.440939: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:16:31.440942: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.440943: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:31.440945: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.440946: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.440948: | start port: 0 (0x0) Sep 21 07:16:31.440949: | end port: 65535 (0xffff) Sep 21 07:16:31.440951: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:31.440953: | IP start c0 00 02 00 Sep 21 07:16:31.440954: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:31.440956: | IP end c0 00 02 ff Sep 21 07:16:31.440957: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:31.440959: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:16:31.440960: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:31.440962: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.440963: | flags: none (0x0) Sep 21 07:16:31.440965: | number of TS: 1 (0x1) Sep 21 07:16:31.440967: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:16:31.440968: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.440970: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:31.440971: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.440973: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.440974: | start port: 0 (0x0) Sep 21 07:16:31.440975: | end port: 65535 (0xffff) Sep 21 07:16:31.440977: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:31.440978: | IP start c0 00 03 00 Sep 21 07:16:31.440980: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:31.440981: | IP end c0 00 03 ff Sep 21 07:16:31.440983: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:31.440984: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:16:31.440986: | Initiator child policy is tunnel mode, NOT sending v2N_USE_TRANSPORT_MODE Sep 21 07:16:31.440987: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:16:31.440989: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:16:31.440991: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.440993: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:31.440995: | emitting length of IKEv2 Encryption Payload: 436 Sep 21 07:16:31.440996: | emitting length of ISAKMP Message: 464 Sep 21 07:16:31.441020: | data being hmac: cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.441022: | data being hmac: 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Sep 21 07:16:31.441023: | data being hmac: 36 f0 4f 06 25 be ea 65 08 1b d0 96 ce 2a bd e2 Sep 21 07:16:31.441025: | data being hmac: 00 4c f7 3e 7d e9 02 7e bd bb ab 47 96 b2 9b e3 Sep 21 07:16:31.441026: | data being hmac: 46 8a 0e 8b 7b b1 c5 25 44 d4 cc 5b 15 83 15 5e Sep 21 07:16:31.441028: | data being hmac: 33 11 9f 9c 91 10 68 97 71 32 11 58 98 e4 cd b5 Sep 21 07:16:31.441029: | data being hmac: 3d ab 83 20 61 61 3a cf c9 17 9e 1d f5 63 00 00 Sep 21 07:16:31.441030: | data being hmac: 91 26 84 22 e4 03 c4 08 eb ab f7 4b 2d ac 2b 0d Sep 21 07:16:31.441032: | data being hmac: 4b 0f be 8b aa c3 ab 99 c0 a7 10 e4 6d c8 e2 a9 Sep 21 07:16:31.441033: | data being hmac: dd 80 fd 1b bf b5 34 a2 91 c3 ac 19 c7 b3 d9 fb Sep 21 07:16:31.441034: | data being hmac: 86 92 53 c0 66 d9 d9 1d d9 ce 0a 19 67 53 c9 6b Sep 21 07:16:31.441036: | data being hmac: c3 ca a7 1f 1f 83 21 b0 48 88 16 d3 30 89 4b 65 Sep 21 07:16:31.441038: | data being hmac: 17 7b fe 09 46 7e a9 36 41 67 0a ee 44 10 0e e0 Sep 21 07:16:31.441040: | data being hmac: 22 da 2b 6f 76 6e 7e e6 d1 89 0a 5c ee 2f d6 7a Sep 21 07:16:31.441041: | data being hmac: a9 17 2c 69 18 a4 fe cf b1 d0 9c be d1 80 19 f2 Sep 21 07:16:31.441043: | data being hmac: 89 71 1b f6 0c 82 d5 4e cf 8a 4f e4 e4 38 4e f1 Sep 21 07:16:31.441044: | data being hmac: 63 d1 87 86 e6 f4 5f 5d 5e 06 92 27 43 0a 2e 91 Sep 21 07:16:31.441045: | data being hmac: 02 6a cd 26 ac 20 ae fb d4 55 1d 25 bc b6 be dc Sep 21 07:16:31.441047: | data being hmac: 35 8e 83 89 6a 5b 53 84 74 9f 16 f6 4f 05 21 99 Sep 21 07:16:31.441048: | data being hmac: 7b 03 c7 ed 9f 79 90 b9 87 66 1c 53 b3 1d e3 c3 Sep 21 07:16:31.441050: | data being hmac: 26 31 5e 78 cc c7 a5 4d 4d fb e0 7e 4d c3 83 77 Sep 21 07:16:31.441051: | data being hmac: 80 d2 40 50 67 33 c4 bf dd 1d 8f 8b 31 06 48 b7 Sep 21 07:16:31.441052: | data being hmac: a9 5b 24 8d 52 85 ac 70 ad bf 21 0f 2a 0c 0b 61 Sep 21 07:16:31.441054: | data being hmac: 7e d4 65 01 a8 9d d9 9a e9 24 2e c9 94 02 3e c4 Sep 21 07:16:31.441055: | data being hmac: 3d 51 a7 5e 29 ab 09 da 32 e5 f4 02 cc 5c 9c 41 Sep 21 07:16:31.441057: | data being hmac: 3a 64 60 a0 ec 42 48 98 b0 87 5e d3 25 63 97 fc Sep 21 07:16:31.441058: | data being hmac: 23 43 05 6c 70 84 9c 27 e2 86 5e 9d da 81 1a 7d Sep 21 07:16:31.441059: | data being hmac: 7b 47 03 76 c0 67 7b 78 f2 5c 18 1c 3a a8 be 8c Sep 21 07:16:31.441061: | out calculated auth: Sep 21 07:16:31.441062: | 9b 45 fb 16 f9 cb cf 46 27 99 e1 26 06 ce 89 72 Sep 21 07:16:31.441067: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.441070: | start processing: state #5 connection "north-eastnets/0x1" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.441073: | #5 complete_v2_state_transition() md.from_state=PARENT_I1 md.svm.state[from]=PARENT_I1 UNDEFINED->PARENT_I2 with status STF_OK Sep 21 07:16:31.441075: | IKEv2: transition from state STATE_PARENT_I1 to state STATE_PARENT_I2 Sep 21 07:16:31.441077: | child state #5: UNDEFINED(ignore) => PARENT_I2(open IKE SA) Sep 21 07:16:31.441079: | Message ID: updating counters for #5 to 0 after switching state Sep 21 07:16:31.441082: | Message ID: recv #1.#5 response 0; ike: initiator.sent=0 initiator.recv=-1->0 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=-1 Sep 21 07:16:31.441085: | Message ID: sent #1.#5 request 1; ike: initiator.sent=0->1 initiator.recv=0 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->1 wip.responder=-1 Sep 21 07:16:31.441088: "north-eastnets/0x1" #5: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} Sep 21 07:16:31.441091: | sending V2 reply packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:16:31.441095: | sending 464 bytes for STATE_PARENT_I1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:16:31.441097: | cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.441098: | 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Sep 21 07:16:31.441100: | 36 f0 4f 06 25 be ea 65 08 1b d0 96 ce 2a bd e2 Sep 21 07:16:31.441101: | 00 4c f7 3e 7d e9 02 7e bd bb ab 47 96 b2 9b e3 Sep 21 07:16:31.441102: | 46 8a 0e 8b 7b b1 c5 25 44 d4 cc 5b 15 83 15 5e Sep 21 07:16:31.441104: | 33 11 9f 9c 91 10 68 97 71 32 11 58 98 e4 cd b5 Sep 21 07:16:31.441105: | 3d ab 83 20 61 61 3a cf c9 17 9e 1d f5 63 00 00 Sep 21 07:16:31.441106: | 91 26 84 22 e4 03 c4 08 eb ab f7 4b 2d ac 2b 0d Sep 21 07:16:31.441108: | 4b 0f be 8b aa c3 ab 99 c0 a7 10 e4 6d c8 e2 a9 Sep 21 07:16:31.441109: | dd 80 fd 1b bf b5 34 a2 91 c3 ac 19 c7 b3 d9 fb Sep 21 07:16:31.441110: | 86 92 53 c0 66 d9 d9 1d d9 ce 0a 19 67 53 c9 6b Sep 21 07:16:31.441112: | c3 ca a7 1f 1f 83 21 b0 48 88 16 d3 30 89 4b 65 Sep 21 07:16:31.441116: | 17 7b fe 09 46 7e a9 36 41 67 0a ee 44 10 0e e0 Sep 21 07:16:31.441117: | 22 da 2b 6f 76 6e 7e e6 d1 89 0a 5c ee 2f d6 7a Sep 21 07:16:31.441118: | a9 17 2c 69 18 a4 fe cf b1 d0 9c be d1 80 19 f2 Sep 21 07:16:31.441120: | 89 71 1b f6 0c 82 d5 4e cf 8a 4f e4 e4 38 4e f1 Sep 21 07:16:31.441121: | 63 d1 87 86 e6 f4 5f 5d 5e 06 92 27 43 0a 2e 91 Sep 21 07:16:31.441123: | 02 6a cd 26 ac 20 ae fb d4 55 1d 25 bc b6 be dc Sep 21 07:16:31.441124: | 35 8e 83 89 6a 5b 53 84 74 9f 16 f6 4f 05 21 99 Sep 21 07:16:31.441125: | 7b 03 c7 ed 9f 79 90 b9 87 66 1c 53 b3 1d e3 c3 Sep 21 07:16:31.441127: | 26 31 5e 78 cc c7 a5 4d 4d fb e0 7e 4d c3 83 77 Sep 21 07:16:31.441128: | 80 d2 40 50 67 33 c4 bf dd 1d 8f 8b 31 06 48 b7 Sep 21 07:16:31.441129: | a9 5b 24 8d 52 85 ac 70 ad bf 21 0f 2a 0c 0b 61 Sep 21 07:16:31.441131: | 7e d4 65 01 a8 9d d9 9a e9 24 2e c9 94 02 3e c4 Sep 21 07:16:31.441132: | 3d 51 a7 5e 29 ab 09 da 32 e5 f4 02 cc 5c 9c 41 Sep 21 07:16:31.441133: | 3a 64 60 a0 ec 42 48 98 b0 87 5e d3 25 63 97 fc Sep 21 07:16:31.441135: | 23 43 05 6c 70 84 9c 27 e2 86 5e 9d da 81 1a 7d Sep 21 07:16:31.441136: | 7b 47 03 76 c0 67 7b 78 f2 5c 18 1c 3a a8 be 8c Sep 21 07:16:31.441137: | 9b 45 fb 16 f9 cb cf 46 27 99 e1 26 06 ce 89 72 Sep 21 07:16:31.441174: | success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=500ms Sep 21 07:16:31.441193: | event_schedule: new EVENT_RETRANSMIT-pe@0x563a20913250 Sep 21 07:16:31.441195: | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #5 Sep 21 07:16:31.441197: | libevent_malloc: new ptr-libevent@0x563a20996ea0 size 128 Sep 21 07:16:31.441201: | #5 STATE_PARENT_I2: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 48837.809442 Sep 21 07:16:31.441204: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:16:31.441208: | #1 spent 3.77 milliseconds in resume sending helper answer Sep 21 07:16:31.441211: | stop processing: state #5 connection "north-eastnets/0x1" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:16:31.441213: | libevent_free: release ptr-libevent@0x7f77f8003060 Sep 21 07:16:31.441219: | processing resume sending helper answer for #4 Sep 21 07:16:31.441223: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:16:31.441225: | crypto helper 1 replies to request ID 5 Sep 21 07:16:31.441227: | calling continuation function 0x563a1ff20630 Sep 21 07:16:31.441228: | ikev2_child_inIoutR_continue for #4 STATE_V2_CREATE_R Sep 21 07:16:31.441232: | adding DHv2 for child sa work-order 6 for state #4 Sep 21 07:16:31.441234: | state #4 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:31.441235: | libevent_free: release ptr-libevent@0x7f7808006900 Sep 21 07:16:31.441237: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f7808002b20 Sep 21 07:16:31.441239: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f7808002b20 Sep 21 07:16:31.441241: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 Sep 21 07:16:31.441243: | libevent_malloc: new ptr-libevent@0x7f7808006900 size 128 Sep 21 07:16:31.441249: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.441251: | #4 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_SUSPEND Sep 21 07:16:31.441253: | suspending state #4 and saving MD Sep 21 07:16:31.441255: | #4 is busy; has a suspended MD Sep 21 07:16:31.441257: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:31.441257: | crypto helper 6 resuming Sep 21 07:16:31.441261: | "north-eastnets/0x2" #4 complete v2 state STATE_V2_CREATE_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:31.441276: | resume sending helper answer for #4 suppresed complete_v2_state_transition() and stole MD Sep 21 07:16:31.441270: | crypto helper 6 starting work-order 6 for state #4 Sep 21 07:16:31.441280: | #4 spent 0.0497 milliseconds in resume sending helper answer Sep 21 07:16:31.441286: | crypto helper 6 doing crypto (DHv2 for child sa); request ID 6 Sep 21 07:16:31.441287: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:16:31.441292: | libevent_free: release ptr-libevent@0x7f77fc005780 Sep 21 07:16:31.443768: | crypto helper 6 finished crypto (DHv2 for child sa); request ID 6 time elapsed 0.002482 seconds Sep 21 07:16:31.443779: | (#4) spent 2.48 milliseconds in crypto helper computing work-order 6: DHv2 for child sa (dh) Sep 21 07:16:31.443785: | crypto helper 6 sending results from work-order 6 for state #4 to event queue Sep 21 07:16:31.443804: | scheduling resume sending helper answer for #4 Sep 21 07:16:31.443808: | libevent_malloc: new ptr-libevent@0x7f77f0001100 size 128 Sep 21 07:16:31.443815: | crypto helper 6 waiting (nothing to do) Sep 21 07:16:31.443825: | processing resume sending helper answer for #4 Sep 21 07:16:31.443834: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:16:31.443837: | crypto helper 6 replies to request ID 6 Sep 21 07:16:31.443839: | calling continuation function 0x563a1ff214f0 Sep 21 07:16:31.443842: | ikev2_child_inIoutR_continue_continue for #4 STATE_V2_CREATE_R Sep 21 07:16:31.443845: | **emit ISAKMP Message: Sep 21 07:16:31.443847: | initiator cookie: Sep 21 07:16:31.443849: | df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:31.443850: | responder cookie: Sep 21 07:16:31.443852: | 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.443853: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:31.443855: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.443857: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Sep 21 07:16:31.443859: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:31.443860: | Message ID: 2 (0x2) Sep 21 07:16:31.443862: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:31.443864: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:31.443866: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.443867: | flags: none (0x0) Sep 21 07:16:31.443869: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:31.443871: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.443873: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:31.443890: | netlink_get_spi: allocated 0x543d207b for esp.0@192.1.2.23 Sep 21 07:16:31.443892: | Emitting ikev2_proposal ... Sep 21 07:16:31.443893: | ****emit IKEv2 Security Association Payload: Sep 21 07:16:31.443895: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.443897: | flags: none (0x0) Sep 21 07:16:31.443898: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:31.443900: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.443902: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.443904: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.443905: | prop #: 1 (0x1) Sep 21 07:16:31.443907: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.443908: | spi size: 4 (0x4) Sep 21 07:16:31.443910: | # transforms: 4 (0x4) Sep 21 07:16:31.443912: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:31.443914: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:16:31.443918: | our spi 54 3d 20 7b Sep 21 07:16:31.443919: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.443921: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.443923: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.443925: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.443927: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.443928: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.443930: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.443932: | length/value: 128 (0x80) Sep 21 07:16:31.443933: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:31.443935: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.443937: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.443938: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.443940: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:31.443942: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.443943: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.443945: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.443947: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.443948: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.443950: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:31.443951: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:31.443953: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.443955: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.443956: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.443958: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.443959: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.443961: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.443962: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.443964: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.443966: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.443967: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.443969: | emitting length of IKEv2 Proposal Substructure Payload: 48 Sep 21 07:16:31.443971: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:31.443972: | emitting length of IKEv2 Security Association Payload: 52 Sep 21 07:16:31.443974: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:31.443976: | ****emit IKEv2 Nonce Payload: Sep 21 07:16:31.443977: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.443979: | flags: none (0x0) Sep 21 07:16:31.443981: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:16:31.443982: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.443984: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:16:31.443986: | IKEv2 nonce 12 08 ef 21 89 ec f9 d1 11 8b 77 0b c1 6c 44 62 Sep 21 07:16:31.443987: | IKEv2 nonce 76 64 d0 0d 5c 60 69 9c fd 19 3d 72 70 25 94 2b Sep 21 07:16:31.443990: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:16:31.443991: | ****emit IKEv2 Key Exchange Payload: Sep 21 07:16:31.443993: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.443994: | flags: none (0x0) Sep 21 07:16:31.443996: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:31.443998: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:16:31.444000: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.444001: | emitting 384 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:16:31.444003: | ikev2 g^x 83 2b 01 48 7e e2 4b 8b 5e 3a 6b 13 ed c2 40 c7 Sep 21 07:16:31.444004: | ikev2 g^x 13 f4 f7 a8 82 02 db 77 4c 3e cb 0b 58 30 24 9a Sep 21 07:16:31.444006: | ikev2 g^x f1 27 57 48 f6 fa 7f 33 5f cc 31 47 c7 34 4f a5 Sep 21 07:16:31.444007: | ikev2 g^x bd 79 b7 4b d8 a5 3e 49 40 45 65 af b1 a4 6e d7 Sep 21 07:16:31.444009: | ikev2 g^x 14 80 07 9a 48 13 76 fb 7b fb 9b 5e c8 81 d8 e8 Sep 21 07:16:31.444010: | ikev2 g^x be 24 a1 6d 31 d8 68 ea 1d d0 f2 89 8c 8f 01 75 Sep 21 07:16:31.444012: | ikev2 g^x dd 32 6d 34 28 78 39 92 cc 0b 7c f3 4e b4 5f bf Sep 21 07:16:31.444013: | ikev2 g^x 13 ec a7 ec 20 76 35 26 27 dc f6 6d ce 51 1c fe Sep 21 07:16:31.444014: | ikev2 g^x 51 76 f8 ea 4f 70 c4 23 95 35 62 70 b6 d0 5f 99 Sep 21 07:16:31.444016: | ikev2 g^x 9f 9e a7 9d 21 50 5c dd eb 12 39 3f dd ed e0 4f Sep 21 07:16:31.444017: | ikev2 g^x 1e ba 35 a6 27 97 66 0f 6c 67 cc d3 c8 c5 1e 44 Sep 21 07:16:31.444019: | ikev2 g^x 99 8c a1 fd 9b 48 93 d7 42 a7 4c 00 a6 12 5e e2 Sep 21 07:16:31.444020: | ikev2 g^x 4b 91 5a ac 8d 67 67 c1 c1 61 d1 e0 c1 95 ce e4 Sep 21 07:16:31.444021: | ikev2 g^x 32 82 93 05 6f d6 c6 00 ba 65 61 eb fe c8 d4 14 Sep 21 07:16:31.444023: | ikev2 g^x 7f be 87 24 77 01 fd ab 87 b5 1b 62 a7 23 d5 23 Sep 21 07:16:31.444024: | ikev2 g^x 30 99 a0 3a f0 a6 5f 21 fc 9b b5 c4 7d 24 c3 04 Sep 21 07:16:31.444026: | ikev2 g^x 4c 6c 5c 63 2c 22 83 b7 0a fe 07 63 83 b3 d7 7a Sep 21 07:16:31.444027: | ikev2 g^x 5e 92 dc 4e d7 39 1e c0 cb c7 53 c2 b1 9c 96 83 Sep 21 07:16:31.444028: | ikev2 g^x bd 14 fc 1b 67 ca 63 b0 d9 91 d4 c3 d1 0a 56 f6 Sep 21 07:16:31.444030: | ikev2 g^x cd 8a 7b a3 d8 25 d2 df 01 54 55 24 02 20 e2 5c Sep 21 07:16:31.444031: | ikev2 g^x ce 6d 07 53 36 44 57 3a bb 91 58 21 5c 25 cb 57 Sep 21 07:16:31.444033: | ikev2 g^x c3 c1 2f 31 32 40 ee 13 44 80 f3 7c 91 c5 ee 1a Sep 21 07:16:31.444034: | ikev2 g^x 96 98 1b 9b 99 99 61 33 85 d1 da 3a 03 17 31 61 Sep 21 07:16:31.444036: | ikev2 g^x 00 6d e6 73 f3 5c e3 6f d9 5b 8b 3b 2c 67 c9 a9 Sep 21 07:16:31.444037: | emitting length of IKEv2 Key Exchange Payload: 392 Sep 21 07:16:31.444039: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:31.444040: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.444042: | flags: none (0x0) Sep 21 07:16:31.444043: | number of TS: 1 (0x1) Sep 21 07:16:31.444045: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:16:31.444047: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.444049: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:31.444050: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.444052: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.444053: | start port: 0 (0x0) Sep 21 07:16:31.444055: | end port: 65535 (0xffff) Sep 21 07:16:31.444057: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:31.444058: | IP start c0 00 03 00 Sep 21 07:16:31.444060: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:31.444061: | IP end c0 00 03 ff Sep 21 07:16:31.444063: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:31.444065: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:16:31.444067: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:31.444068: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.444070: | flags: none (0x0) Sep 21 07:16:31.444071: | number of TS: 1 (0x1) Sep 21 07:16:31.444073: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:16:31.444075: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.444077: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:31.444078: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.444080: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.444081: | start port: 0 (0x0) Sep 21 07:16:31.444083: | end port: 65535 (0xffff) Sep 21 07:16:31.444084: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:31.444086: | IP start c0 00 16 00 Sep 21 07:16:31.444087: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:31.444089: | IP end c0 00 16 ff Sep 21 07:16:31.444090: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:31.444092: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:16:31.444093: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:16:31.444096: | integ=sha2_512: .key_size=64 encrypt=aes: .key_size=16 .salt_size=0 keymat_len=80 Sep 21 07:16:31.444296: | install_ipsec_sa() for #4: inbound and outbound Sep 21 07:16:31.444300: | could_route called for north-eastnets/0x2 (kind=CK_PERMANENT) Sep 21 07:16:31.444302: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:31.444304: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.444306: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:31.444307: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.444309: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:31.444312: | route owner of "north-eastnets/0x2" unrouted: "north-eastnets/0x1" erouted; eroute owner: NULL Sep 21 07:16:31.444315: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:31.444317: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:31.444319: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:31.444321: | setting IPsec SA replay-window to 32 Sep 21 07:16:31.444323: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Sep 21 07:16:31.444325: | netlink: enabling tunnel mode Sep 21 07:16:31.444327: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:31.444329: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:31.444400: | netlink response for Add SA esp.c8d0fe50@192.1.3.33 included non-error error Sep 21 07:16:31.444404: | set up outgoing SA, ref=0/0 Sep 21 07:16:31.444408: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:31.444411: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:31.444415: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:31.444419: | setting IPsec SA replay-window to 32 Sep 21 07:16:31.444422: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Sep 21 07:16:31.444425: | netlink: enabling tunnel mode Sep 21 07:16:31.444428: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:31.444432: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:31.444478: | netlink response for Add SA esp.543d207b@192.1.2.23 included non-error error Sep 21 07:16:31.444483: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:31.444492: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.22.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Sep 21 07:16:31.444498: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:31.444541: | raw_eroute result=success Sep 21 07:16:31.444545: | set up incoming SA, ref=0/0 Sep 21 07:16:31.444548: | sr for #4: unrouted Sep 21 07:16:31.444552: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:16:31.444555: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:31.444558: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.444562: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:31.444564: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.444566: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:31.444569: | route owner of "north-eastnets/0x2" unrouted: "north-eastnets/0x1" erouted; eroute owner: NULL Sep 21 07:16:31.444571: | route_and_eroute with c: north-eastnets/0x2 (next: none) ero:null esr:{(nil)} ro:north-eastnets/0x1 rosr:{0x563a2098d350} and state: #4 Sep 21 07:16:31.444574: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:31.444578: | eroute_connection add eroute 192.0.22.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33 (raw_eroute) Sep 21 07:16:31.444580: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:31.444600: | raw_eroute result=success Sep 21 07:16:31.444603: | running updown command "ipsec _updown" for verb up Sep 21 07:16:31.444606: | command executing up-client Sep 21 07:16:31.444631: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.22.0/24' PLUTO_MY_CLIENT_NET='192.0.22.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0 Sep 21 07:16:31.444634: | popen cmd is 1043 chars long Sep 21 07:16:31.444636: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2': Sep 21 07:16:31.444637: | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_: Sep 21 07:16:31.444639: | cmd( 160):MY_ID='@east' PLUTO_MY_CLIENT='192.0.22.0/24' PLUTO_MY_CLIENT_NET='192.0.22.0' P: Sep 21 07:16:31.444641: | cmd( 240):LUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUT: Sep 21 07:16:31.444642: | cmd( 320):O_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@n: Sep 21 07:16:31.444644: | cmd( 400):orth' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_P: Sep 21 07:16:31.444645: | cmd( 480):EER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Sep 21 07:16:31.444647: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+EN: Sep 21 07:16:31.444648: | cmd( 640):CRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KI: Sep 21 07:16:31.444650: | cmd( 720):ND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISC: Sep 21 07:16:31.444651: | cmd( 800):O='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUT: Sep 21 07:16:31.444653: | cmd( 880):O_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_R: Sep 21 07:16:31.444655: | cmd( 960):OUTING='no' VTI_SHARED='no' SPI_IN=0xc8d0fe50 SPI_OUT=0x543d207b ipsec _updown 2: Sep 21 07:16:31.444658: | cmd(1040):>&1: Sep 21 07:16:31.452497: | route_and_eroute: firewall_notified: true Sep 21 07:16:31.452509: | route_and_eroute: instance "north-eastnets/0x2", setting eroute_owner {spd=0x563a2098e5a0,sr=0x563a2098e5a0} to #4 (was #0) (newest_ipsec_sa=#0) Sep 21 07:16:31.452584: | #2 spent 0.52 milliseconds in install_ipsec_sa() Sep 21 07:16:31.452588: | ISAKMP_v2_CREATE_CHILD_SA: instance north-eastnets/0x2[0], setting IKEv2 newest_ipsec_sa to #4 (was #0) (spd.eroute=#4) cloned from #2 Sep 21 07:16:31.452591: | adding 16 bytes of padding (including 1 byte padding-length) Sep 21 07:16:31.452593: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.452595: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.452597: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.452598: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.452600: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.452602: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.452603: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.452605: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.452607: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.452608: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.452610: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.452611: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.452613: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.452615: | emitting 1 0x0d repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.452616: | emitting 1 0x0e repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.452618: | emitting 1 0x0f repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.452620: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:31.452622: | emitting length of IKEv2 Encryption Payload: 580 Sep 21 07:16:31.452623: | emitting length of ISAKMP Message: 608 Sep 21 07:16:31.452661: | data being hmac: df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.452663: | data being hmac: 2e 20 24 20 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:31.452664: | data being hmac: 87 46 b7 2d f5 8b 51 32 fb 09 de f9 e2 60 dc 50 Sep 21 07:16:31.452666: | data being hmac: 52 0c ca f0 c4 2c 69 66 60 f4 68 6e a8 c5 98 0d Sep 21 07:16:31.452667: | data being hmac: b2 b7 50 72 f4 88 3f 2d 7a 0f d9 af a9 bd f9 bf Sep 21 07:16:31.452669: | data being hmac: d2 ab 54 81 98 f6 14 b9 0a 33 6d 6a 3d 32 fd a0 Sep 21 07:16:31.452670: | data being hmac: f0 54 5e 95 23 3e 4f b9 7c 67 69 11 ca 90 05 a4 Sep 21 07:16:31.452672: | data being hmac: 72 c6 74 55 d5 eb 4a c5 99 cf 76 79 f2 cc 46 4f Sep 21 07:16:31.452673: | data being hmac: 60 62 6c b0 42 2d 10 bf a8 c6 09 67 7b 91 96 c4 Sep 21 07:16:31.452674: | data being hmac: c7 eb 10 6d 2d 31 76 a3 a0 19 6f e4 5a 48 61 46 Sep 21 07:16:31.452676: | data being hmac: ad 4b c7 1f 3f f5 9f 4b 21 a1 69 c3 2f 32 d2 ed Sep 21 07:16:31.452677: | data being hmac: 6a 09 e4 c0 61 c9 a9 24 16 73 f5 83 96 67 43 2a Sep 21 07:16:31.452679: | data being hmac: 91 4f 8d 11 3f 7b 3f 63 db d7 e4 f7 64 77 b6 b5 Sep 21 07:16:31.452680: | data being hmac: 16 02 f5 60 8b e7 22 c6 28 07 ed aa ab 42 ab e1 Sep 21 07:16:31.452682: | data being hmac: d4 fb 9c 60 78 5d 10 22 65 fa bd cc d1 c3 42 40 Sep 21 07:16:31.452685: | data being hmac: e4 9e 7e 6a ac e9 24 e2 73 3b 41 27 60 99 e7 22 Sep 21 07:16:31.452687: | data being hmac: 18 f6 29 fc 3d d4 cd 73 f6 15 a6 8f b5 f7 ba 8a Sep 21 07:16:31.452688: | data being hmac: 63 14 c1 08 d0 7e 11 aa cd 2f 3c 1d 13 fb fa 18 Sep 21 07:16:31.452690: | data being hmac: 09 3f 05 27 29 6e 70 b5 ee 2b 1b fe d0 38 df a6 Sep 21 07:16:31.452691: | data being hmac: 89 b0 f5 fe 29 43 27 64 df 08 f9 fe 84 bc 63 1e Sep 21 07:16:31.452693: | data being hmac: 15 4c ba 8b 1c db 49 c3 ff 9d 92 09 f8 d1 a9 89 Sep 21 07:16:31.452694: | data being hmac: 43 6e d9 e5 7f 58 4e e9 97 d8 a5 0a ab 9a d2 af Sep 21 07:16:31.452695: | data being hmac: 0e 06 6b 8b 95 45 f2 e1 35 b4 3a 1e 04 70 23 eb Sep 21 07:16:31.452697: | data being hmac: 13 f6 98 28 a6 a3 5e 36 66 26 3a db ae 3f 17 34 Sep 21 07:16:31.452698: | data being hmac: 83 36 ba 40 02 77 f8 90 51 84 54 80 42 da 32 fc Sep 21 07:16:31.452700: | data being hmac: 72 bd b3 a5 58 09 38 40 75 6b c8 3f c5 b2 16 7c Sep 21 07:16:31.452701: | data being hmac: e6 5b 28 4a 9c 06 80 90 05 18 53 2b 34 6d b6 66 Sep 21 07:16:31.452703: | data being hmac: 85 57 77 0a e7 86 44 16 65 7a 70 21 1c 2a 17 8a Sep 21 07:16:31.452704: | data being hmac: ba 5f d1 7a fa 84 95 c1 fb 0a c6 ce 46 f6 85 70 Sep 21 07:16:31.452705: | data being hmac: 67 30 00 9c dc fe 61 73 ce 36 ae 1f e6 4e 0b 16 Sep 21 07:16:31.452707: | data being hmac: cd 1b 88 7d 1d b5 a2 40 3d 74 76 f2 72 b2 d4 f2 Sep 21 07:16:31.452708: | data being hmac: c2 56 3f a1 eb 61 46 d7 34 fd c8 12 82 1c 56 eb Sep 21 07:16:31.452710: | data being hmac: b2 98 e3 d6 19 34 78 89 48 9c 12 a8 cf 0f 42 5c Sep 21 07:16:31.452711: | data being hmac: ff e6 89 c1 28 b6 be 01 b9 27 45 26 02 fa 36 29 Sep 21 07:16:31.452712: | data being hmac: 14 f8 d0 48 72 9a 18 16 d5 8a 45 da bd 9e 07 e3 Sep 21 07:16:31.452714: | data being hmac: d8 18 9e fb 45 e5 74 af 0f be b5 17 35 b0 c3 e4 Sep 21 07:16:31.452715: | data being hmac: d2 ed 4d 1c 73 d4 7e ab e3 86 8c 3e 4e 17 0b fc Sep 21 07:16:31.452717: | out calculated auth: Sep 21 07:16:31.452718: | cb 7a 6e 4d 01 b3 af c0 76 2e 47 aa fb 3c 28 68 Sep 21 07:16:31.452725: "north-eastnets/0x2" #4: negotiated new IPsec SA [192.0.22.0-192.0.22.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Sep 21 07:16:31.452730: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.452733: | #4 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_OK Sep 21 07:16:31.452735: | IKEv2: transition from state STATE_V2_CREATE_R to state STATE_V2_IPSEC_R Sep 21 07:16:31.452738: | child state #4: V2_CREATE_R(established IKE SA) => V2_IPSEC_R(established CHILD SA) Sep 21 07:16:31.452740: | Message ID: updating counters for #4 to 2 after switching state Sep 21 07:16:31.452743: | Message ID: recv #2.#4 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1->2; child: wip.initiator=-1 wip.responder=2->-1 Sep 21 07:16:31.452746: | Message ID: sent #2.#4 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=2; child: wip.initiator=-1 wip.responder=-1 Sep 21 07:16:31.452748: | pstats #4 ikev2.child established Sep 21 07:16:31.452752: "north-eastnets/0x2" #4: negotiated connection [192.0.22.0-192.0.22.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Sep 21 07:16:31.452755: | NAT-T: encaps is 'auto' Sep 21 07:16:31.452758: "north-eastnets/0x2" #4: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0xc8d0fe50 <0x543d207b xfrm=AES_CBC_128-HMAC_SHA2_512_256-MODP3072 NATOA=none NATD=none DPD=passive} Sep 21 07:16:31.452761: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:16:31.452765: | sending 608 bytes for STATE_V2_CREATE_R through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #2) Sep 21 07:16:31.452767: | df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:31.452769: | 2e 20 24 20 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:31.452771: | 87 46 b7 2d f5 8b 51 32 fb 09 de f9 e2 60 dc 50 Sep 21 07:16:31.452773: | 52 0c ca f0 c4 2c 69 66 60 f4 68 6e a8 c5 98 0d Sep 21 07:16:31.452774: | b2 b7 50 72 f4 88 3f 2d 7a 0f d9 af a9 bd f9 bf Sep 21 07:16:31.452776: | d2 ab 54 81 98 f6 14 b9 0a 33 6d 6a 3d 32 fd a0 Sep 21 07:16:31.452777: | f0 54 5e 95 23 3e 4f b9 7c 67 69 11 ca 90 05 a4 Sep 21 07:16:31.452778: | 72 c6 74 55 d5 eb 4a c5 99 cf 76 79 f2 cc 46 4f Sep 21 07:16:31.452780: | 60 62 6c b0 42 2d 10 bf a8 c6 09 67 7b 91 96 c4 Sep 21 07:16:31.452781: | c7 eb 10 6d 2d 31 76 a3 a0 19 6f e4 5a 48 61 46 Sep 21 07:16:31.452805: | ad 4b c7 1f 3f f5 9f 4b 21 a1 69 c3 2f 32 d2 ed Sep 21 07:16:31.452822: | 6a 09 e4 c0 61 c9 a9 24 16 73 f5 83 96 67 43 2a Sep 21 07:16:31.452823: | 91 4f 8d 11 3f 7b 3f 63 db d7 e4 f7 64 77 b6 b5 Sep 21 07:16:31.452825: | 16 02 f5 60 8b e7 22 c6 28 07 ed aa ab 42 ab e1 Sep 21 07:16:31.452826: | d4 fb 9c 60 78 5d 10 22 65 fa bd cc d1 c3 42 40 Sep 21 07:16:31.452827: | e4 9e 7e 6a ac e9 24 e2 73 3b 41 27 60 99 e7 22 Sep 21 07:16:31.452829: | 18 f6 29 fc 3d d4 cd 73 f6 15 a6 8f b5 f7 ba 8a Sep 21 07:16:31.452830: | 63 14 c1 08 d0 7e 11 aa cd 2f 3c 1d 13 fb fa 18 Sep 21 07:16:31.452831: | 09 3f 05 27 29 6e 70 b5 ee 2b 1b fe d0 38 df a6 Sep 21 07:16:31.452833: | 89 b0 f5 fe 29 43 27 64 df 08 f9 fe 84 bc 63 1e Sep 21 07:16:31.452834: | 15 4c ba 8b 1c db 49 c3 ff 9d 92 09 f8 d1 a9 89 Sep 21 07:16:31.452835: | 43 6e d9 e5 7f 58 4e e9 97 d8 a5 0a ab 9a d2 af Sep 21 07:16:31.452837: | 0e 06 6b 8b 95 45 f2 e1 35 b4 3a 1e 04 70 23 eb Sep 21 07:16:31.452838: | 13 f6 98 28 a6 a3 5e 36 66 26 3a db ae 3f 17 34 Sep 21 07:16:31.452839: | 83 36 ba 40 02 77 f8 90 51 84 54 80 42 da 32 fc Sep 21 07:16:31.452841: | 72 bd b3 a5 58 09 38 40 75 6b c8 3f c5 b2 16 7c Sep 21 07:16:31.452842: | e6 5b 28 4a 9c 06 80 90 05 18 53 2b 34 6d b6 66 Sep 21 07:16:31.452843: | 85 57 77 0a e7 86 44 16 65 7a 70 21 1c 2a 17 8a Sep 21 07:16:31.452845: | ba 5f d1 7a fa 84 95 c1 fb 0a c6 ce 46 f6 85 70 Sep 21 07:16:31.452846: | 67 30 00 9c dc fe 61 73 ce 36 ae 1f e6 4e 0b 16 Sep 21 07:16:31.452847: | cd 1b 88 7d 1d b5 a2 40 3d 74 76 f2 72 b2 d4 f2 Sep 21 07:16:31.452849: | c2 56 3f a1 eb 61 46 d7 34 fd c8 12 82 1c 56 eb Sep 21 07:16:31.452850: | b2 98 e3 d6 19 34 78 89 48 9c 12 a8 cf 0f 42 5c Sep 21 07:16:31.452851: | ff e6 89 c1 28 b6 be 01 b9 27 45 26 02 fa 36 29 Sep 21 07:16:31.452853: | 14 f8 d0 48 72 9a 18 16 d5 8a 45 da bd 9e 07 e3 Sep 21 07:16:31.452854: | d8 18 9e fb 45 e5 74 af 0f be b5 17 35 b0 c3 e4 Sep 21 07:16:31.452855: | d2 ed 4d 1c 73 d4 7e ab e3 86 8c 3e 4e 17 0b fc Sep 21 07:16:31.452857: | cb 7a 6e 4d 01 b3 af c0 76 2e 47 aa fb 3c 28 68 Sep 21 07:16:31.452893: | releasing whack for #4 (sock=fd@-1) Sep 21 07:16:31.452910: | releasing whack and unpending for parent #2 Sep 21 07:16:31.452913: | unpending state #2 connection "north-eastnets/0x2" Sep 21 07:16:31.452916: | #4 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:16:31.452918: | state #4 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:31.452922: | libevent_free: release ptr-libevent@0x7f7808006900 Sep 21 07:16:31.452924: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f7808002b20 Sep 21 07:16:31.452926: | event_schedule: new EVENT_SA_REKEY-pe@0x7f7808002b20 Sep 21 07:16:31.452928: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #4 Sep 21 07:16:31.452930: | libevent_malloc: new ptr-libevent@0x7f7808006900 size 128 Sep 21 07:16:31.452935: | #4 spent 1.3 milliseconds in resume sending helper answer Sep 21 07:16:31.452938: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:16:31.452940: | libevent_free: release ptr-libevent@0x7f77f0001100 Sep 21 07:16:31.452948: | spent 0.00122 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:31.452957: | *received 464 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:16:31.452959: | cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.452960: | 2e 20 23 20 00 00 00 01 00 00 01 d0 24 00 01 b4 Sep 21 07:16:31.452962: | 0f 0e d8 2b 0b 08 90 41 22 19 f9 c5 4a e0 9f 8d Sep 21 07:16:31.452963: | 3e fd b7 f5 c4 e1 ab 14 c1 97 60 fc cb 0c ec fa Sep 21 07:16:31.452964: | d1 e4 15 0e b9 79 dc 45 67 61 d8 7e 01 40 e8 a9 Sep 21 07:16:31.452966: | e1 17 2e f2 47 31 e4 d1 cb 89 6d ad a3 25 24 09 Sep 21 07:16:31.452967: | c0 cd 3d 71 80 1f 33 0d cb 5d 20 fd b6 14 48 61 Sep 21 07:16:31.452969: | 92 e1 fc 52 f8 8e dc 7c 3f 39 db 4c cd 2d f4 9a Sep 21 07:16:31.452970: | 5b db 5a b1 e6 b0 4d 4d 4b d1 55 37 90 38 34 53 Sep 21 07:16:31.452971: | 2a 75 6b a5 76 56 b5 50 5c cd 72 7a 2a 30 83 d3 Sep 21 07:16:31.452973: | 7c f8 2d c3 b7 8b d3 d3 82 3c 45 fe ea 0c 31 be Sep 21 07:16:31.452974: | da 6e 3b 4e ac 0b 23 c2 00 d9 bf f8 75 09 1d 29 Sep 21 07:16:31.452975: | b9 d7 53 3b 8c 96 17 91 63 50 c4 34 df e8 4e 78 Sep 21 07:16:31.452977: | ec 73 ca ec 93 e5 14 71 8c 6f bf 3c 9d fd dd 7c Sep 21 07:16:31.452978: | 01 1a 75 a4 cc 69 d2 59 a0 5a 47 7e 00 1d 9d 40 Sep 21 07:16:31.452980: | 06 ce 96 28 3f ed 91 c5 78 1a 17 63 df d8 99 26 Sep 21 07:16:31.452981: | c2 08 84 f9 15 30 77 cd 3b 98 e0 e5 8e 38 d3 8b Sep 21 07:16:31.452982: | 45 17 98 bb 9f 6e 06 53 70 37 0b 04 75 f1 6a 5e Sep 21 07:16:31.452984: | 94 95 99 a1 d7 24 24 c8 54 8b 62 96 6b be 85 a2 Sep 21 07:16:31.452985: | a7 b2 86 15 56 a5 06 ac d2 fc b3 43 ef 47 0a d0 Sep 21 07:16:31.452986: | 99 f9 ad d3 89 02 55 da b6 43 a8 c5 e8 dc d7 64 Sep 21 07:16:31.452988: | 66 50 b4 75 53 79 a5 f5 1c b5 2b 1a 6e f8 8c 14 Sep 21 07:16:31.452989: | 34 9f d6 32 25 f9 66 8e 2a 73 00 0e 4a cc a2 dd Sep 21 07:16:31.452991: | 00 fd 25 83 49 df ae f9 ff 6c 8f 8e e6 7e e3 3c Sep 21 07:16:31.452992: | a1 57 0a 64 f0 ab 5a ad 94 0c 13 70 b1 f4 88 76 Sep 21 07:16:31.452993: | f1 97 b8 51 c1 bd c5 21 ae c9 42 85 0f 20 12 54 Sep 21 07:16:31.452995: | 56 ef e4 49 1c 88 95 70 70 61 26 5d 86 3f 80 2c Sep 21 07:16:31.452996: | a3 32 3d db a6 74 4b ed 30 b2 89 44 fa e0 8b 47 Sep 21 07:16:31.452997: | 7d 43 6d 61 58 be aa e4 69 32 e6 d0 4f a5 20 32 Sep 21 07:16:31.453000: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:16:31.453002: | **parse ISAKMP Message: Sep 21 07:16:31.453004: | initiator cookie: Sep 21 07:16:31.453006: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:31.453007: | responder cookie: Sep 21 07:16:31.453008: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.453010: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:16:31.453012: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.453014: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:16:31.453015: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:31.453017: | Message ID: 1 (0x1) Sep 21 07:16:31.453019: | length: 464 (0x1d0) Sep 21 07:16:31.453020: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:16:31.453023: | I am the IKE SA Original Initiator receiving an IKEv2 IKE_AUTH response Sep 21 07:16:31.453026: | State DB: found IKEv2 state #1 in PARENT_I2 (find_v2_ike_sa) Sep 21 07:16:31.453029: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:31.453031: | State DB: found IKEv2 state #5 in PARENT_I2 (find_v2_sa_by_initiator_wip) Sep 21 07:16:31.453034: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2062) Sep 21 07:16:31.453036: | start processing: state #5 connection "north-eastnets/0x1" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2062) Sep 21 07:16:31.453038: | #5 is idle Sep 21 07:16:31.453040: | #5 idle Sep 21 07:16:31.453041: | unpacking clear payload Sep 21 07:16:31.453044: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:16:31.453045: | ***parse IKEv2 Encryption Payload: Sep 21 07:16:31.453047: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Sep 21 07:16:31.453049: | flags: none (0x0) Sep 21 07:16:31.453050: | length: 436 (0x1b4) Sep 21 07:16:31.453052: | processing payload: ISAKMP_NEXT_v2SK (len=432) Sep 21 07:16:31.453053: | #5 in state PARENT_I2: sent v2I2, expected v2R2 Sep 21 07:16:31.453070: | data for hmac: cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.453072: | data for hmac: 2e 20 23 20 00 00 00 01 00 00 01 d0 24 00 01 b4 Sep 21 07:16:31.453073: | data for hmac: 0f 0e d8 2b 0b 08 90 41 22 19 f9 c5 4a e0 9f 8d Sep 21 07:16:31.453075: | data for hmac: 3e fd b7 f5 c4 e1 ab 14 c1 97 60 fc cb 0c ec fa Sep 21 07:16:31.453076: | data for hmac: d1 e4 15 0e b9 79 dc 45 67 61 d8 7e 01 40 e8 a9 Sep 21 07:16:31.453078: | data for hmac: e1 17 2e f2 47 31 e4 d1 cb 89 6d ad a3 25 24 09 Sep 21 07:16:31.453079: | data for hmac: c0 cd 3d 71 80 1f 33 0d cb 5d 20 fd b6 14 48 61 Sep 21 07:16:31.453080: | data for hmac: 92 e1 fc 52 f8 8e dc 7c 3f 39 db 4c cd 2d f4 9a Sep 21 07:16:31.453082: | data for hmac: 5b db 5a b1 e6 b0 4d 4d 4b d1 55 37 90 38 34 53 Sep 21 07:16:31.453083: | data for hmac: 2a 75 6b a5 76 56 b5 50 5c cd 72 7a 2a 30 83 d3 Sep 21 07:16:31.453085: | data for hmac: 7c f8 2d c3 b7 8b d3 d3 82 3c 45 fe ea 0c 31 be Sep 21 07:16:31.453086: | data for hmac: da 6e 3b 4e ac 0b 23 c2 00 d9 bf f8 75 09 1d 29 Sep 21 07:16:31.453087: | data for hmac: b9 d7 53 3b 8c 96 17 91 63 50 c4 34 df e8 4e 78 Sep 21 07:16:31.453089: | data for hmac: ec 73 ca ec 93 e5 14 71 8c 6f bf 3c 9d fd dd 7c Sep 21 07:16:31.453090: | data for hmac: 01 1a 75 a4 cc 69 d2 59 a0 5a 47 7e 00 1d 9d 40 Sep 21 07:16:31.453092: | data for hmac: 06 ce 96 28 3f ed 91 c5 78 1a 17 63 df d8 99 26 Sep 21 07:16:31.453093: | data for hmac: c2 08 84 f9 15 30 77 cd 3b 98 e0 e5 8e 38 d3 8b Sep 21 07:16:31.453095: | data for hmac: 45 17 98 bb 9f 6e 06 53 70 37 0b 04 75 f1 6a 5e Sep 21 07:16:31.453096: | data for hmac: 94 95 99 a1 d7 24 24 c8 54 8b 62 96 6b be 85 a2 Sep 21 07:16:31.453097: | data for hmac: a7 b2 86 15 56 a5 06 ac d2 fc b3 43 ef 47 0a d0 Sep 21 07:16:31.453099: | data for hmac: 99 f9 ad d3 89 02 55 da b6 43 a8 c5 e8 dc d7 64 Sep 21 07:16:31.453100: | data for hmac: 66 50 b4 75 53 79 a5 f5 1c b5 2b 1a 6e f8 8c 14 Sep 21 07:16:31.453102: | data for hmac: 34 9f d6 32 25 f9 66 8e 2a 73 00 0e 4a cc a2 dd Sep 21 07:16:31.453103: | data for hmac: 00 fd 25 83 49 df ae f9 ff 6c 8f 8e e6 7e e3 3c Sep 21 07:16:31.453104: | data for hmac: a1 57 0a 64 f0 ab 5a ad 94 0c 13 70 b1 f4 88 76 Sep 21 07:16:31.453106: | data for hmac: f1 97 b8 51 c1 bd c5 21 ae c9 42 85 0f 20 12 54 Sep 21 07:16:31.453107: | data for hmac: 56 ef e4 49 1c 88 95 70 70 61 26 5d 86 3f 80 2c Sep 21 07:16:31.453109: | data for hmac: a3 32 3d db a6 74 4b ed 30 b2 89 44 fa e0 8b 47 Sep 21 07:16:31.453110: | calculated auth: 7d 43 6d 61 58 be aa e4 69 32 e6 d0 4f a5 20 32 Sep 21 07:16:31.453112: | provided auth: 7d 43 6d 61 58 be aa e4 69 32 e6 d0 4f a5 20 32 Sep 21 07:16:31.453113: | authenticator matched Sep 21 07:16:31.453118: | #5 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Sep 21 07:16:31.453120: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Sep 21 07:16:31.453123: | **parse IKEv2 Identification - Responder - Payload: Sep 21 07:16:31.453124: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Sep 21 07:16:31.453126: | flags: none (0x0) Sep 21 07:16:31.453127: | length: 13 (0xd) Sep 21 07:16:31.453129: | ID type: ID_FQDN (0x2) Sep 21 07:16:31.453130: | processing payload: ISAKMP_NEXT_v2IDr (len=5) Sep 21 07:16:31.453132: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Sep 21 07:16:31.453134: | **parse IKEv2 Authentication Payload: Sep 21 07:16:31.453135: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:31.453137: | flags: none (0x0) Sep 21 07:16:31.453138: | length: 282 (0x11a) Sep 21 07:16:31.453141: | auth method: IKEv2_AUTH_RSA (0x1) Sep 21 07:16:31.453142: | processing payload: ISAKMP_NEXT_v2AUTH (len=274) Sep 21 07:16:31.453144: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:16:31.453145: | **parse IKEv2 Security Association Payload: Sep 21 07:16:31.453147: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:16:31.453148: | flags: none (0x0) Sep 21 07:16:31.453150: | length: 44 (0x2c) Sep 21 07:16:31.453151: | processing payload: ISAKMP_NEXT_v2SA (len=40) Sep 21 07:16:31.453153: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:16:31.453154: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:31.453156: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:16:31.453157: | flags: none (0x0) Sep 21 07:16:31.453158: | length: 24 (0x18) Sep 21 07:16:31.453160: | number of TS: 1 (0x1) Sep 21 07:16:31.453161: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:16:31.453163: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:16:31.453164: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:31.453166: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.453167: | flags: none (0x0) Sep 21 07:16:31.453169: | length: 24 (0x18) Sep 21 07:16:31.453170: | number of TS: 1 (0x1) Sep 21 07:16:31.453171: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:16:31.453173: | selected state microcode Initiator: process IKE_AUTH response Sep 21 07:16:31.453175: | Now let's proceed with state specific processing Sep 21 07:16:31.453176: | calling processor Initiator: process IKE_AUTH response Sep 21 07:16:31.453180: | offered CA: '%none' Sep 21 07:16:31.453183: "north-eastnets/0x1" #5: IKEv2 mode peer ID is ID_FQDN: '@north' Sep 21 07:16:31.453192: | verifying AUTH payload Sep 21 07:16:31.453202: | required RSA CA is '%any' Sep 21 07:16:31.453205: | checking RSA keyid '@east' for match with '@north' Sep 21 07:16:31.453207: | checking RSA keyid '@north' for match with '@north' Sep 21 07:16:31.453208: | RSA key issuer CA is '%any' Sep 21 07:16:31.453248: | an RSA Sig check passed with *AQPl33O2P [preloaded keys] Sep 21 07:16:31.453252: | #1 spent 0.0401 milliseconds in try_all_keys() trying a pubkey Sep 21 07:16:31.453254: "north-eastnets/0x1" #5: Authenticated using RSA Sep 21 07:16:31.453257: | #1 spent 0.0609 milliseconds in ikev2_verify_rsa_hash() Sep 21 07:16:31.453259: | parent state #1: PARENT_I2(open IKE SA) => PARENT_I3(established IKE SA) Sep 21 07:16:31.453262: | #1 will start re-keying in 2607 seconds with margin of 993 seconds (attempting re-key) Sep 21 07:16:31.453264: | state #1 requesting EVENT_SA_REPLACE to be deleted Sep 21 07:16:31.453266: | libevent_free: release ptr-libevent@0x7f7804000f40 Sep 21 07:16:31.453268: | free_event_entry: release EVENT_SA_REPLACE-pe@0x563a20998d50 Sep 21 07:16:31.453270: | event_schedule: new EVENT_SA_REKEY-pe@0x563a20998d50 Sep 21 07:16:31.453272: | inserting event EVENT_SA_REKEY, timeout in 2607 seconds for #1 Sep 21 07:16:31.453274: | libevent_malloc: new ptr-libevent@0x7f7804000f40 size 128 Sep 21 07:16:31.453377: | pstats #1 ikev2.ike established Sep 21 07:16:31.453381: | TSi: parsing 1 traffic selectors Sep 21 07:16:31.453383: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:31.453385: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.453387: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.453389: | length: 16 (0x10) Sep 21 07:16:31.453390: | start port: 0 (0x0) Sep 21 07:16:31.453392: | end port: 65535 (0xffff) Sep 21 07:16:31.453394: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:31.453395: | TS low c0 00 02 00 Sep 21 07:16:31.453397: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:31.453398: | TS high c0 00 02 ff Sep 21 07:16:31.453400: | TSi: parsed 1 traffic selectors Sep 21 07:16:31.453401: | TSr: parsing 1 traffic selectors Sep 21 07:16:31.453403: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:31.453404: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.453407: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.453409: | length: 16 (0x10) Sep 21 07:16:31.453410: | start port: 0 (0x0) Sep 21 07:16:31.453412: | end port: 65535 (0xffff) Sep 21 07:16:31.453413: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:31.453415: | TS low c0 00 03 00 Sep 21 07:16:31.453416: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:31.453417: | TS high c0 00 03 ff Sep 21 07:16:31.453419: | TSr: parsed 1 traffic selectors Sep 21 07:16:31.453423: | evaluating our conn="north-eastnets/0x1" I=192.0.2.0/24:0:0/0 R=192.0.3.0/24:0:0/0 to their: Sep 21 07:16:31.453426: | TSi[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.453430: | match address end->client=192.0.2.0/24 == TSi[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:16:31.453432: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:31.453434: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:31.453436: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:31.453437: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.453440: | TSr[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.453443: | match address end->client=192.0.3.0/24 == TSr[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:16:31.453445: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:16:31.453447: | TSr[0] port match: YES fitness 65536 Sep 21 07:16:31.453448: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:16:31.453450: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.453452: | best fit so far: TSi[0] TSr[0] Sep 21 07:16:31.453453: | found an acceptable TSi/TSr Traffic Selector Sep 21 07:16:31.453454: | printing contents struct traffic_selector Sep 21 07:16:31.453456: | ts_type: IKEv2_TS_IPV6_ADDR_RANGE Sep 21 07:16:31.453457: | ipprotoid: 0 Sep 21 07:16:31.453459: | port range: 0-65535 Sep 21 07:16:31.453461: | ip range: 192.0.2.0-192.0.2.255 Sep 21 07:16:31.453462: | printing contents struct traffic_selector Sep 21 07:16:31.453464: | ts_type: IKEv2_TS_IPV6_ADDR_RANGE Sep 21 07:16:31.453465: | ipprotoid: 0 Sep 21 07:16:31.453466: | port range: 0-65535 Sep 21 07:16:31.453469: | ip range: 192.0.3.0-192.0.3.255 Sep 21 07:16:31.453474: | using existing local ESP/AH proposals for north-eastnets/0x1 (IKE_AUTH initiator accepting remote ESP/AH proposal): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED Sep 21 07:16:31.453476: | Comparing remote proposals against IKE_AUTH initiator accepting remote ESP/AH proposal 1 local proposals Sep 21 07:16:31.453478: | local proposal 1 type ENCR has 1 transforms Sep 21 07:16:31.453480: | local proposal 1 type PRF has 0 transforms Sep 21 07:16:31.453481: | local proposal 1 type INTEG has 1 transforms Sep 21 07:16:31.453483: | local proposal 1 type DH has 1 transforms Sep 21 07:16:31.453484: | local proposal 1 type ESN has 1 transforms Sep 21 07:16:31.453486: | local proposal 1 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:16:31.453488: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.453490: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.453491: | length: 40 (0x28) Sep 21 07:16:31.453493: | prop #: 1 (0x1) Sep 21 07:16:31.453494: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.453496: | spi size: 4 (0x4) Sep 21 07:16:31.453497: | # transforms: 3 (0x3) Sep 21 07:16:31.453499: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:16:31.453500: | remote SPI ff f4 87 1b Sep 21 07:16:31.453502: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 1 local proposals Sep 21 07:16:31.453504: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.453506: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.453507: | length: 12 (0xc) Sep 21 07:16:31.453510: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.453511: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.453513: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.453515: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.453516: | length/value: 128 (0x80) Sep 21 07:16:31.453519: | remote proposal 1 transform 0 (ENCR=AES_CBC_128) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:16:31.453521: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.453522: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.453523: | length: 8 (0x8) Sep 21 07:16:31.453525: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.453526: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:31.453529: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_512_256) matches local proposal 1 type 3 (INTEG) transform 0 Sep 21 07:16:31.453530: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.453532: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.453533: | length: 8 (0x8) Sep 21 07:16:31.453535: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.453536: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.453538: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:16:31.453540: | remote proposal 1 proposed transforms: ENCR+INTEG+ESN; matched: ENCR+INTEG+ESN; unmatched: none Sep 21 07:16:31.453543: | comparing remote proposal 1 containing ENCR+INTEG+ESN transforms to local proposal 1; required: ENCR+INTEG+ESN; optional: DH; matched: ENCR+INTEG+ESN Sep 21 07:16:31.453545: | remote proposal 1 matches local proposal 1 Sep 21 07:16:31.453547: | remote accepted the proposal 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED[first-match] Sep 21 07:16:31.453550: | IKE_AUTH initiator accepting remote ESP/AH proposal ikev2_proposal: 1:ESP:SPI=fff4871b;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED Sep 21 07:16:31.453551: | converting proposal to internal trans attrs Sep 21 07:16:31.453555: | integ=sha2_512: .key_size=64 encrypt=aes: .key_size=16 .salt_size=0 keymat_len=80 Sep 21 07:16:31.453744: | install_ipsec_sa() for #5: inbound and outbound Sep 21 07:16:31.453747: | could_route called for north-eastnets/0x1 (kind=CK_PERMANENT) Sep 21 07:16:31.453749: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:31.453751: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.453753: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:31.453755: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.453757: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:31.453759: | route owner of "north-eastnets/0x1" erouted: self; eroute owner: self Sep 21 07:16:31.453761: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:31.453763: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:31.453765: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:31.453768: | setting IPsec SA replay-window to 32 Sep 21 07:16:31.453770: | NIC esp-hw-offload not for connection 'north-eastnets/0x1' not available on interface eth1 Sep 21 07:16:31.453772: | netlink: enabling tunnel mode Sep 21 07:16:31.453774: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:31.453775: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:31.453851: | netlink response for Add SA esp.fff4871b@192.1.3.33 included non-error error Sep 21 07:16:31.453856: | set up outgoing SA, ref=0/0 Sep 21 07:16:31.453858: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:31.453860: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:31.453861: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:31.453864: | setting IPsec SA replay-window to 32 Sep 21 07:16:31.453867: | NIC esp-hw-offload not for connection 'north-eastnets/0x1' not available on interface eth1 Sep 21 07:16:31.453869: | netlink: enabling tunnel mode Sep 21 07:16:31.453870: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:31.453872: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:31.453910: | netlink response for Add SA esp.4066dd7c@192.1.2.23 included non-error error Sep 21 07:16:31.453912: | set up incoming SA, ref=0/0 Sep 21 07:16:31.453914: | sr for #5: erouted Sep 21 07:16:31.453916: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:16:31.453917: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:31.453919: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.453921: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:31.453923: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.453924: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:31.453926: | route owner of "north-eastnets/0x1" erouted: self; eroute owner: self Sep 21 07:16:31.453929: | route_and_eroute with c: north-eastnets/0x1 (next: none) ero:north-eastnets/0x1 esr:{(nil)} ro:north-eastnets/0x1 rosr:{(nil)} and state: #5 Sep 21 07:16:31.453931: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:31.453936: | eroute_connection replace eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33>tun.0@192.1.3.33 (raw_eroute) Sep 21 07:16:31.453938: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:31.453960: | raw_eroute result=success Sep 21 07:16:31.453962: | route_and_eroute: firewall_notified: true Sep 21 07:16:31.453964: | route_and_eroute: instance "north-eastnets/0x1", setting eroute_owner {spd=0x563a2098d350,sr=0x563a2098d350} to #5 (was #3) (newest_ipsec_sa=#3) Sep 21 07:16:31.454003: | #1 spent 0.238 milliseconds in install_ipsec_sa() Sep 21 07:16:31.454007: | inR2: instance north-eastnets/0x1[0], setting IKEv2 newest_ipsec_sa to #5 (was #3) (spd.eroute=#5) cloned from #1 Sep 21 07:16:31.454009: | state #5 requesting EVENT_RETRANSMIT to be deleted Sep 21 07:16:31.454010: | #5 STATE_PARENT_I2: retransmits: cleared Sep 21 07:16:31.454013: | libevent_free: release ptr-libevent@0x563a20996ea0 Sep 21 07:16:31.454014: | free_event_entry: release EVENT_RETRANSMIT-pe@0x563a20913250 Sep 21 07:16:31.454017: | #5 spent 0.813 milliseconds in processing: Initiator: process IKE_AUTH response in ikev2_process_state_packet() Sep 21 07:16:31.454021: | [RE]START processing: state #5 connection "north-eastnets/0x1" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.454023: | #5 complete_v2_state_transition() PARENT_I2->V2_IPSEC_I with status STF_OK Sep 21 07:16:31.454025: | IKEv2: transition from state STATE_PARENT_I2 to state STATE_V2_IPSEC_I Sep 21 07:16:31.454027: | child state #5: PARENT_I2(open IKE SA) => V2_IPSEC_I(established CHILD SA) Sep 21 07:16:31.454029: | Message ID: updating counters for #5 to 1 after switching state Sep 21 07:16:31.454032: | Message ID: recv #1.#5 response 1; ike: initiator.sent=1 initiator.recv=0->1 responder.sent=-1 responder.recv=-1; child: wip.initiator=1->-1 wip.responder=-1 Sep 21 07:16:31.454035: | Message ID: #1.#5 skipping update_send as nothing to send; initiator.sent=1 initiator.recv=1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:31.454037: | pstats #5 ikev2.child established Sep 21 07:16:31.454041: "north-eastnets/0x1" #5: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Sep 21 07:16:31.454043: | NAT-T: encaps is 'auto' Sep 21 07:16:31.454046: "north-eastnets/0x1" #5: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xfff4871b <0x4066dd7c xfrm=AES_CBC_128-HMAC_SHA2_512_256 NATOA=none NATD=none DPD=passive} Sep 21 07:16:31.454047: | releasing whack for #5 (sock=fd@-1) Sep 21 07:16:31.454049: | releasing whack and unpending for parent #1 Sep 21 07:16:31.454051: | unpending state #1 connection "north-eastnets/0x1" Sep 21 07:16:31.454055: | delete from pending Child SA with 192.1.3.33 "north-eastnets/0x1" Sep 21 07:16:31.454057: | removing pending policy for no connection {0x563a208ef4d0} Sep 21 07:16:31.454060: | FOR_EACH_STATE_... in find_pending_phase2 Sep 21 07:16:31.454063: | creating state object #6 at 0x563a2099e400 Sep 21 07:16:31.454065: | State DB: adding IKEv2 state #6 in UNDEFINED Sep 21 07:16:31.454067: | pstats #6 ikev2.child started Sep 21 07:16:31.454069: | duplicating state object #1 "north-eastnets/0x2" as #6 for IPSEC SA Sep 21 07:16:31.454071: | #6 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:16:31.454075: | Message ID: init_child #1.#6; ike: initiator.sent=1 initiator.recv=1 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:16:31.454078: | suspend processing: state #5 connection "north-eastnets/0x1" from 192.1.3.33:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5634) Sep 21 07:16:31.454081: | start processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5634) Sep 21 07:16:31.454083: | child state #6: UNDEFINED(ignore) => V2_CREATE_I0(established IKE SA) Sep 21 07:16:31.454087: | using existing local ESP/AH proposals for north-eastnets/0x2 (ESP/AH initiator emitting proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Sep 21 07:16:31.454090: | #6 schedule initiate IPsec SA RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO using IKE# 1 pfs=MODP3072 Sep 21 07:16:31.454092: | event_schedule: new EVENT_v2_INITIATE_CHILD-pe@0x563a20913250 Sep 21 07:16:31.454094: | inserting event EVENT_v2_INITIATE_CHILD, timeout in 0 seconds for #6 Sep 21 07:16:31.454096: | libevent_malloc: new ptr-libevent@0x563a20996ea0 size 128 Sep 21 07:16:31.454099: | RESET processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5734) Sep 21 07:16:31.454102: | RESET processing: from 192.1.3.33:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5734) Sep 21 07:16:31.454104: | delete from pending Child SA with 192.1.3.33 "north-eastnets/0x2" Sep 21 07:16:31.454105: | removing pending policy for no connection {0x563a2090c320} Sep 21 07:16:31.454108: | #5 will start re-keying in 28048 seconds with margin of 752 seconds (attempting re-key) Sep 21 07:16:31.454110: | event_schedule: new EVENT_SA_REKEY-pe@0x563a20998590 Sep 21 07:16:31.454112: | inserting event EVENT_SA_REKEY, timeout in 28048 seconds for #5 Sep 21 07:16:31.454113: | libevent_malloc: new ptr-libevent@0x7f77f0001100 size 128 Sep 21 07:16:31.454115: | processing: STOP state #0 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:31.454118: | #1 spent 1.14 milliseconds in ikev2_process_packet() Sep 21 07:16:31.454121: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:31.454122: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:31.454125: | spent 1.15 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:31.454130: | processing signal PLUTO_SIGCHLD Sep 21 07:16:31.454134: | waitpid returned ECHILD (no child processes left) Sep 21 07:16:31.454137: | spent 0.00341 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:16:31.454141: | timer_event_cb: processing event@0x563a20913250 Sep 21 07:16:31.454143: | handling event EVENT_v2_INITIATE_CHILD for child state #6 Sep 21 07:16:31.454145: | start processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in timer_event_cb() at timer.c:250) Sep 21 07:16:31.454148: | adding Child Initiator KE and nonce ni work-order 7 for state #6 Sep 21 07:16:31.454150: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563a209958a0 Sep 21 07:16:31.454152: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #6 Sep 21 07:16:31.454154: | libevent_malloc: new ptr-libevent@0x563a209a1ba0 size 128 Sep 21 07:16:31.454159: | libevent_free: release ptr-libevent@0x563a20996ea0 Sep 21 07:16:31.454162: | free_event_entry: release EVENT_v2_INITIATE_CHILD-pe@0x563a20913250 Sep 21 07:16:31.454165: | #6 spent 0.0235 milliseconds in timer_event_cb() EVENT_v2_INITIATE_CHILD Sep 21 07:16:31.454168: | stop processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in timer_event_cb() at timer.c:557) Sep 21 07:16:31.454169: | crypto helper 4 resuming Sep 21 07:16:31.454178: | crypto helper 4 starting work-order 7 for state #6 Sep 21 07:16:31.454182: | crypto helper 4 doing build KE and nonce (Child Initiator KE and nonce ni); request ID 7 Sep 21 07:16:31.456789: | crypto helper 4 finished build KE and nonce (Child Initiator KE and nonce ni); request ID 7 time elapsed 0.002606 seconds Sep 21 07:16:31.456800: | (#6) spent 2.6 milliseconds in crypto helper computing work-order 7: Child Initiator KE and nonce ni (pcr) Sep 21 07:16:31.456804: | crypto helper 4 sending results from work-order 7 for state #6 to event queue Sep 21 07:16:31.456807: | scheduling resume sending helper answer for #6 Sep 21 07:16:31.456810: | libevent_malloc: new ptr-libevent@0x7f77f4005780 size 128 Sep 21 07:16:31.456818: | crypto helper 4 waiting (nothing to do) Sep 21 07:16:31.456829: | processing resume sending helper answer for #6 Sep 21 07:16:31.456840: | start processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:16:31.456845: | crypto helper 4 replies to request ID 7 Sep 21 07:16:31.456847: | calling continuation function 0x563a1ff20630 Sep 21 07:16:31.456852: | ikev2_child_outI_continue for #6 STATE_V2_CREATE_I0 Sep 21 07:16:31.456855: | state #6 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:31.456859: | libevent_free: release ptr-libevent@0x563a209a1ba0 Sep 21 07:16:31.456862: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563a209958a0 Sep 21 07:16:31.456866: | event_schedule: new EVENT_SA_REPLACE-pe@0x563a209958a0 Sep 21 07:16:31.456869: | inserting event EVENT_SA_REPLACE, timeout in 200 seconds for #6 Sep 21 07:16:31.456872: | libevent_malloc: new ptr-libevent@0x563a209a1ba0 size 128 Sep 21 07:16:31.456877: | Message ID: #1 wakeing IKE SA (unack 0); initiator.sent=1 initiator.recv=1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:31.456881: | scheduling callback v2_msgid_schedule_next_initiator (#1) Sep 21 07:16:31.456884: | libevent_malloc: new ptr-libevent@0x563a20996ea0 size 128 Sep 21 07:16:31.456890: | [RE]START processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.456893: | #6 complete_v2_state_transition() V2_CREATE_I0->V2_CREATE_I with status STF_SUSPEND Sep 21 07:16:31.456894: | suspending state #6 and saving MD Sep 21 07:16:31.456896: | #6 is busy; has a suspended MD Sep 21 07:16:31.456899: | [RE]START processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:31.456901: | "north-eastnets/0x2" #6 complete v2 state STATE_V2_CREATE_I0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:31.456904: | resume sending helper answer for #6 suppresed complete_v2_state_transition() Sep 21 07:16:31.456908: | #6 spent 0.0626 milliseconds in resume sending helper answer Sep 21 07:16:31.456911: | stop processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:16:31.456913: | libevent_free: release ptr-libevent@0x7f77f4005780 Sep 21 07:16:31.456917: | processing callback v2_msgid_schedule_next_initiator for #1 Sep 21 07:16:31.456920: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in callback_handler() at server.c:904) Sep 21 07:16:31.456924: | Message ID: #1.#6 resuming SA using IKE SA (unack 0); initiator.sent=1 initiator.recv=1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:31.456927: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in initiate_next() at ikev2_msgid.c:553) Sep 21 07:16:31.456932: | start processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in initiate_next() at ikev2_msgid.c:553) Sep 21 07:16:31.456936: | **emit ISAKMP Message: Sep 21 07:16:31.456938: | initiator cookie: Sep 21 07:16:31.456940: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:31.456941: | responder cookie: Sep 21 07:16:31.456942: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.456944: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:31.456946: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.456948: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Sep 21 07:16:31.456950: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:31.456952: | Message ID: 2 (0x2) Sep 21 07:16:31.456953: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:31.456955: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:31.456957: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.456958: | flags: none (0x0) Sep 21 07:16:31.456960: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:31.456962: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.456964: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:31.456979: | netlink_get_spi: allocated 0x43bbc6ab for esp.0@192.1.2.23 Sep 21 07:16:31.456981: | Emitting ikev2_proposals ... Sep 21 07:16:31.456984: | ****emit IKEv2 Security Association Payload: Sep 21 07:16:31.456986: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.456989: | flags: none (0x0) Sep 21 07:16:31.456992: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:16:31.456994: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.456996: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.456998: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.456999: | prop #: 1 (0x1) Sep 21 07:16:31.457001: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.457002: | spi size: 4 (0x4) Sep 21 07:16:31.457004: | # transforms: 4 (0x4) Sep 21 07:16:31.457005: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:16:31.457007: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:16:31.457009: | our spi 43 bb c6 ab Sep 21 07:16:31.457011: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.457012: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.457014: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.457015: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.457017: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.457019: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.457021: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.457023: | length/value: 128 (0x80) Sep 21 07:16:31.457025: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:16:31.457027: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.457030: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.457032: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.457034: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:31.457036: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.457039: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.457044: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.457046: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.457049: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.457051: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:31.457053: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:31.457056: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.457059: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.457061: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.457064: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:16:31.457066: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.457068: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.457071: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.457073: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.457076: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:16:31.457078: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:16:31.457081: | emitting length of IKEv2 Proposal Substructure Payload: 48 Sep 21 07:16:31.457083: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:16:31.457086: | emitting length of IKEv2 Security Association Payload: 52 Sep 21 07:16:31.457088: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:16:31.457091: | ****emit IKEv2 Nonce Payload: Sep 21 07:16:31.457093: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.457096: | flags: none (0x0) Sep 21 07:16:31.457099: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:16:31.457101: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.457104: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:16:31.457107: | IKEv2 nonce cc c6 5e 4e c8 70 69 18 a5 df 2b 83 24 9a 2c 27 Sep 21 07:16:31.457109: | IKEv2 nonce 47 a4 a1 3b 3e c8 0f 54 0e d3 63 32 53 a9 53 3e Sep 21 07:16:31.457111: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:16:31.457114: | ****emit IKEv2 Key Exchange Payload: Sep 21 07:16:31.457116: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.457119: | flags: none (0x0) Sep 21 07:16:31.457121: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:31.457124: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:16:31.457127: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.457129: | emitting 384 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:16:31.457132: | ikev2 g^x 3b d4 f0 cf 3a 5d 9b 62 42 97 a2 21 da 39 40 f4 Sep 21 07:16:31.457134: | ikev2 g^x 0e 04 bb ae 98 bd ff 0d 8b 3d a5 c7 af 18 2f 0d Sep 21 07:16:31.457137: | ikev2 g^x 2d ef 2c df c3 c1 9c 63 67 1c ad b6 d9 2a 1e bb Sep 21 07:16:31.457139: | ikev2 g^x 38 2f a0 ec 65 51 05 1c 5e 0f 49 34 5a e3 ea 1e Sep 21 07:16:31.457141: | ikev2 g^x 3d f4 f4 10 23 37 4f 79 5d fd 1e 49 ca 0a 8f f7 Sep 21 07:16:31.457143: | ikev2 g^x ad 68 70 0d 3d 68 8e 0d bd 65 3d f8 ec 89 b5 cf Sep 21 07:16:31.457145: | ikev2 g^x 6a dd 51 b0 7b 8f 72 71 a0 11 f6 ab 4b 7e 39 c3 Sep 21 07:16:31.457148: | ikev2 g^x 70 29 e9 e1 a1 f1 c6 28 3f 42 e7 cd a4 f6 a9 b0 Sep 21 07:16:31.457152: | ikev2 g^x 69 19 75 8c e4 0d c8 60 73 a9 6e 8c ec 1b 43 73 Sep 21 07:16:31.457154: | ikev2 g^x 15 0f f0 22 06 f8 70 60 d2 71 6e e6 67 59 af d0 Sep 21 07:16:31.457157: | ikev2 g^x cd 94 32 3a 8d dc d8 19 65 5a ee 35 7e 0f ec e4 Sep 21 07:16:31.457159: | ikev2 g^x 92 5c f4 bd dc 6a f2 5d d5 41 fc c2 8c d3 f2 a3 Sep 21 07:16:31.457161: | ikev2 g^x 9a e1 ca 81 ed 21 43 c3 e5 86 d3 48 2f d0 66 e4 Sep 21 07:16:31.457163: | ikev2 g^x 20 68 a3 e4 27 87 2e 94 da ca e7 97 96 94 39 5f Sep 21 07:16:31.457165: | ikev2 g^x 05 b5 87 a0 34 46 ca b3 3a 74 96 12 f2 af 73 14 Sep 21 07:16:31.457168: | ikev2 g^x 99 49 75 51 e5 88 c4 d2 10 8c 1b bb a7 47 c1 e2 Sep 21 07:16:31.457170: | ikev2 g^x cf f0 9f 7e 9f 70 4b ff 07 db 61 f6 1c 20 2d c1 Sep 21 07:16:31.457172: | ikev2 g^x e2 0e 49 2f 80 0b 0b f6 bc 58 59 cf be 59 e5 47 Sep 21 07:16:31.457174: | ikev2 g^x ec 3e c5 c9 0a 72 8b 42 2a 45 78 58 24 35 7c d8 Sep 21 07:16:31.457177: | ikev2 g^x 8a de 50 9b c1 c3 ee ff 24 4e 35 31 2c 11 09 a5 Sep 21 07:16:31.457179: | ikev2 g^x 9e 3e f0 be 0b 84 59 1b 03 1b e6 4a 1f 7f 3c 90 Sep 21 07:16:31.457181: | ikev2 g^x 01 81 b2 b7 53 96 26 2e 1a bd dc c8 5f ca b1 46 Sep 21 07:16:31.457184: | ikev2 g^x 4d 3c a6 35 db b8 5d 74 e6 00 ba b3 82 34 a8 31 Sep 21 07:16:31.457186: | ikev2 g^x d0 9f 04 a3 c1 7c 93 26 e1 0d 37 70 ac be 40 7b Sep 21 07:16:31.457201: | emitting length of IKEv2 Key Exchange Payload: 392 Sep 21 07:16:31.457204: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:31.457207: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.457209: | flags: none (0x0) Sep 21 07:16:31.457212: | number of TS: 1 (0x1) Sep 21 07:16:31.457215: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:16:31.457218: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.457221: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:31.457223: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.457240: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.457243: | start port: 0 (0x0) Sep 21 07:16:31.457245: | end port: 65535 (0xffff) Sep 21 07:16:31.457248: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:31.457251: | IP start c0 00 16 00 Sep 21 07:16:31.457254: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:31.457256: | IP end c0 00 16 ff Sep 21 07:16:31.457259: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:31.457261: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:16:31.457264: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:31.457266: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.457269: | flags: none (0x0) Sep 21 07:16:31.457271: | number of TS: 1 (0x1) Sep 21 07:16:31.457274: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:16:31.457277: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:16:31.457280: | *****emit IKEv2 Traffic Selector: Sep 21 07:16:31.457282: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.457285: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.457287: | start port: 0 (0x0) Sep 21 07:16:31.457290: | end port: 65535 (0xffff) Sep 21 07:16:31.457306: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:16:31.457308: | IP start c0 00 03 00 Sep 21 07:16:31.457311: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:16:31.457313: | IP end c0 00 03 ff Sep 21 07:16:31.457315: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:16:31.457318: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:16:31.457324: | Initiator child policy is tunnel mode, NOT sending v2N_USE_TRANSPORT_MODE Sep 21 07:16:31.457328: | adding 16 bytes of padding (including 1 byte padding-length) Sep 21 07:16:31.457331: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.457334: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.457337: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.457340: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.457342: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.457345: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.457348: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.457351: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.457354: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.457356: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.457359: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.457362: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.457364: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.457367: | emitting 1 0x0d repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.457369: | emitting 1 0x0e repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.457372: | emitting 1 0x0f repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:31.457375: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:31.457377: | emitting length of IKEv2 Encryption Payload: 580 Sep 21 07:16:31.457380: | emitting length of ISAKMP Message: 608 Sep 21 07:16:31.457416: | data being hmac: cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.457420: | data being hmac: 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:31.457422: | data being hmac: f3 c4 df 72 fe bc a4 2e b7 f0 db c1 61 ea 8d 49 Sep 21 07:16:31.457424: | data being hmac: 72 2b 5d f2 41 bd de f5 05 79 53 6e 05 98 99 fb Sep 21 07:16:31.457427: | data being hmac: 2b f2 04 4b 32 6f 90 5e d0 9e d2 81 3e 4a b8 50 Sep 21 07:16:31.457429: | data being hmac: 06 54 56 cc da 2f 26 da f4 bc 8f 0e d2 9c ba 7a Sep 21 07:16:31.457431: | data being hmac: 72 e3 9e ce 98 ed c0 d1 2f 06 b5 0c 95 30 ab ca Sep 21 07:16:31.457433: | data being hmac: ab 77 e0 49 d3 ae 49 89 ba 63 66 3f a6 f2 85 75 Sep 21 07:16:31.457436: | data being hmac: c0 4e 3a 72 75 2b 3f 87 16 6c 97 be a5 85 d0 ce Sep 21 07:16:31.457438: | data being hmac: 68 8b 7c c0 24 83 e2 e5 dd ea 91 5a 69 0a 03 4c Sep 21 07:16:31.457440: | data being hmac: 60 df 08 a9 91 de 95 ff f8 e8 f9 18 02 21 c1 01 Sep 21 07:16:31.457457: | data being hmac: 6c 19 3e 60 94 65 7a db 2a 2b fe 26 73 9b f6 4c Sep 21 07:16:31.457459: | data being hmac: 13 04 15 97 f7 b5 78 3c 35 87 c3 55 8b fd 1d 36 Sep 21 07:16:31.457462: | data being hmac: bb f8 62 f4 66 dc 80 84 19 08 be 97 c5 1a 23 1c Sep 21 07:16:31.457464: | data being hmac: 84 d2 1b be c6 02 e4 91 f7 de 80 8a 3a 1d 4a 02 Sep 21 07:16:31.457466: | data being hmac: c6 85 2c 5a ae c6 46 10 67 48 3e 5e 1c 94 8b 76 Sep 21 07:16:31.457469: | data being hmac: 9f 3a 9c 92 6a 4d 79 97 d4 2a 88 02 08 54 07 3b Sep 21 07:16:31.457471: | data being hmac: c1 40 e9 b7 9e e6 66 29 10 d3 77 a2 7d cd 58 08 Sep 21 07:16:31.457473: | data being hmac: fd cf 3c f0 e5 56 df 11 fe 78 fc 87 0c 83 19 ea Sep 21 07:16:31.457476: | data being hmac: 9c 90 3d 75 e0 95 4e 90 27 f5 83 c7 8b 44 bf 8d Sep 21 07:16:31.457480: | data being hmac: 97 a5 c6 73 3b ca 8e a7 3d b3 8e 70 81 ed ac d6 Sep 21 07:16:31.457482: | data being hmac: 46 22 fe 12 32 d0 65 16 b3 db 01 da 1e e1 14 1f Sep 21 07:16:31.457485: | data being hmac: 64 7a 70 5c d1 05 2f b1 9a c6 22 2b ac fc 80 9d Sep 21 07:16:31.457487: | data being hmac: 2b d8 05 a6 3e 7c 2b a6 26 20 9f b6 ae 38 7d 0a Sep 21 07:16:31.457490: | data being hmac: 34 2a e6 1f 11 37 79 e1 b0 58 f3 19 b0 4a f9 5f Sep 21 07:16:31.457492: | data being hmac: a9 db b7 fc c8 a2 ab 1a 76 b8 c6 80 64 0e 79 a0 Sep 21 07:16:31.457494: | data being hmac: c6 2e 8b 1a 1a 2e 4f dd c4 e5 9c 02 fa b9 32 93 Sep 21 07:16:31.457496: | data being hmac: 3d 6e b5 83 6a da 9d 12 03 81 80 36 d2 4f 4f ac Sep 21 07:16:31.457499: | data being hmac: 5a 23 2a 33 1e 15 26 6d 70 d3 ac 22 40 2e 41 a9 Sep 21 07:16:31.457501: | data being hmac: 8c 93 07 52 2c 79 28 43 fa 01 00 e2 a8 26 1b f4 Sep 21 07:16:31.457503: | data being hmac: 42 ad 37 25 d1 17 ee 0b 3e 9a 90 1f 0c eb 6f ce Sep 21 07:16:31.457505: | data being hmac: f7 77 20 05 8c fb 68 e9 78 11 cd 87 83 c2 15 64 Sep 21 07:16:31.457508: | data being hmac: 9a c7 8a ef e5 bd 78 48 db 63 68 68 3f 81 5c 48 Sep 21 07:16:31.457510: | data being hmac: 12 2c eb e5 67 ef 46 61 8a 91 8d 05 86 33 8f 59 Sep 21 07:16:31.457512: | data being hmac: 17 8f fc ff 20 4f 24 4d 03 c9 c4 c5 de 19 4e 2c Sep 21 07:16:31.457515: | data being hmac: 9f fb e9 e3 88 f8 1d ad 36 dd c9 e0 42 8b d8 9d Sep 21 07:16:31.457517: | data being hmac: 08 13 57 bb b3 b9 60 84 d0 f4 e0 6d 4e dd 24 81 Sep 21 07:16:31.457519: | out calculated auth: Sep 21 07:16:31.457521: | a5 ec 7e 3f 22 8d e7 34 ce 76 d2 ae ba 09 5b e7 Sep 21 07:16:31.457529: | [RE]START processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.457532: | #6 complete_v2_state_transition() V2_CREATE_I0->V2_CREATE_I with status STF_OK Sep 21 07:16:31.457535: | IKEv2: transition from state STATE_V2_CREATE_I0 to state STATE_V2_CREATE_I Sep 21 07:16:31.457539: | child state #6: V2_CREATE_I0(established IKE SA) => V2_CREATE_I(established IKE SA) Sep 21 07:16:31.457542: | Message ID: updating counters for #6 to 4294967295 after switching state Sep 21 07:16:31.457557: | Message ID: IKE #1 skipping update_recv as MD is fake Sep 21 07:16:31.457562: | Message ID: sent #1.#6 request 2; ike: initiator.sent=1->2 initiator.recv=1 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->2 wip.responder=-1 Sep 21 07:16:31.457565: "north-eastnets/0x2" #6: STATE_V2_CREATE_I: sent IPsec Child req wait response Sep 21 07:16:31.457570: | sending V2 reply packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:16:31.457576: | sending 608 bytes for STATE_V2_CREATE_I0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:16:31.457578: | cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.457581: | 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:31.457583: | f3 c4 df 72 fe bc a4 2e b7 f0 db c1 61 ea 8d 49 Sep 21 07:16:31.457585: | 72 2b 5d f2 41 bd de f5 05 79 53 6e 05 98 99 fb Sep 21 07:16:31.457587: | 2b f2 04 4b 32 6f 90 5e d0 9e d2 81 3e 4a b8 50 Sep 21 07:16:31.457589: | 06 54 56 cc da 2f 26 da f4 bc 8f 0e d2 9c ba 7a Sep 21 07:16:31.457591: | 72 e3 9e ce 98 ed c0 d1 2f 06 b5 0c 95 30 ab ca Sep 21 07:16:31.457593: | ab 77 e0 49 d3 ae 49 89 ba 63 66 3f a6 f2 85 75 Sep 21 07:16:31.457595: | c0 4e 3a 72 75 2b 3f 87 16 6c 97 be a5 85 d0 ce Sep 21 07:16:31.457598: | 68 8b 7c c0 24 83 e2 e5 dd ea 91 5a 69 0a 03 4c Sep 21 07:16:31.457600: | 60 df 08 a9 91 de 95 ff f8 e8 f9 18 02 21 c1 01 Sep 21 07:16:31.457602: | 6c 19 3e 60 94 65 7a db 2a 2b fe 26 73 9b f6 4c Sep 21 07:16:31.457604: | 13 04 15 97 f7 b5 78 3c 35 87 c3 55 8b fd 1d 36 Sep 21 07:16:31.457607: | bb f8 62 f4 66 dc 80 84 19 08 be 97 c5 1a 23 1c Sep 21 07:16:31.457609: | 84 d2 1b be c6 02 e4 91 f7 de 80 8a 3a 1d 4a 02 Sep 21 07:16:31.457613: | c6 85 2c 5a ae c6 46 10 67 48 3e 5e 1c 94 8b 76 Sep 21 07:16:31.457615: | 9f 3a 9c 92 6a 4d 79 97 d4 2a 88 02 08 54 07 3b Sep 21 07:16:31.457617: | c1 40 e9 b7 9e e6 66 29 10 d3 77 a2 7d cd 58 08 Sep 21 07:16:31.457619: | fd cf 3c f0 e5 56 df 11 fe 78 fc 87 0c 83 19 ea Sep 21 07:16:31.457622: | 9c 90 3d 75 e0 95 4e 90 27 f5 83 c7 8b 44 bf 8d Sep 21 07:16:31.457624: | 97 a5 c6 73 3b ca 8e a7 3d b3 8e 70 81 ed ac d6 Sep 21 07:16:31.457626: | 46 22 fe 12 32 d0 65 16 b3 db 01 da 1e e1 14 1f Sep 21 07:16:31.457628: | 64 7a 70 5c d1 05 2f b1 9a c6 22 2b ac fc 80 9d Sep 21 07:16:31.457630: | 2b d8 05 a6 3e 7c 2b a6 26 20 9f b6 ae 38 7d 0a Sep 21 07:16:31.457633: | 34 2a e6 1f 11 37 79 e1 b0 58 f3 19 b0 4a f9 5f Sep 21 07:16:31.457635: | a9 db b7 fc c8 a2 ab 1a 76 b8 c6 80 64 0e 79 a0 Sep 21 07:16:31.457637: | c6 2e 8b 1a 1a 2e 4f dd c4 e5 9c 02 fa b9 32 93 Sep 21 07:16:31.457639: | 3d 6e b5 83 6a da 9d 12 03 81 80 36 d2 4f 4f ac Sep 21 07:16:31.457641: | 5a 23 2a 33 1e 15 26 6d 70 d3 ac 22 40 2e 41 a9 Sep 21 07:16:31.457643: | 8c 93 07 52 2c 79 28 43 fa 01 00 e2 a8 26 1b f4 Sep 21 07:16:31.457645: | 42 ad 37 25 d1 17 ee 0b 3e 9a 90 1f 0c eb 6f ce Sep 21 07:16:31.457647: | f7 77 20 05 8c fb 68 e9 78 11 cd 87 83 c2 15 64 Sep 21 07:16:31.457649: | 9a c7 8a ef e5 bd 78 48 db 63 68 68 3f 81 5c 48 Sep 21 07:16:31.457651: | 12 2c eb e5 67 ef 46 61 8a 91 8d 05 86 33 8f 59 Sep 21 07:16:31.457654: | 17 8f fc ff 20 4f 24 4d 03 c9 c4 c5 de 19 4e 2c Sep 21 07:16:31.457656: | 9f fb e9 e3 88 f8 1d ad 36 dd c9 e0 42 8b d8 9d Sep 21 07:16:31.457658: | 08 13 57 bb b3 b9 60 84 d0 f4 e0 6d 4e dd 24 81 Sep 21 07:16:31.457661: | a5 ec 7e 3f 22 8d e7 34 ce 76 d2 ae ba 09 5b e7 Sep 21 07:16:31.457706: | state #6 requesting EVENT_SA_REPLACE to be deleted Sep 21 07:16:31.457711: | libevent_free: release ptr-libevent@0x563a209a1ba0 Sep 21 07:16:31.457714: | free_event_entry: release EVENT_SA_REPLACE-pe@0x563a209958a0 Sep 21 07:16:31.457717: | success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=500ms Sep 21 07:16:31.457721: | event_schedule: new EVENT_RETRANSMIT-pe@0x563a209958a0 Sep 21 07:16:31.457724: | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #6 Sep 21 07:16:31.457727: | libevent_malloc: new ptr-libevent@0x563a209a1ba0 size 128 Sep 21 07:16:31.457733: | #6 STATE_V2_CREATE_I: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 48837.825984 Sep 21 07:16:31.457739: | stop processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in initiate_next() at ikev2_msgid.c:557) Sep 21 07:16:31.457744: | resume processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in initiate_next() at ikev2_msgid.c:557) Sep 21 07:16:31.457750: | #1 spent 0.8 milliseconds in callback v2_msgid_schedule_next_initiator Sep 21 07:16:31.457755: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in callback_handler() at server.c:908) Sep 21 07:16:31.457758: | libevent_free: release ptr-libevent@0x563a20996ea0 Sep 21 07:16:31.491446: | spent 0.00291 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:16:31.491466: | *received 608 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:16:31.491469: | cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.491472: | 2e 20 24 20 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:31.491475: | e5 0d ed b7 59 47 df a9 58 77 18 6d 34 7f c7 00 Sep 21 07:16:31.491477: | 8f a4 e0 09 a1 6e cf 5c 19 33 39 47 9f 35 b9 f5 Sep 21 07:16:31.491479: | 3f 70 52 01 88 ac 96 fd a3 cc 59 b9 29 ff 0d e0 Sep 21 07:16:31.491482: | 17 ce bc 91 e0 d8 ee e6 5e bf c9 91 70 95 aa 6a Sep 21 07:16:31.491484: | ec 1b 09 cf a6 97 8f 42 56 89 c9 bf 47 25 6b a9 Sep 21 07:16:31.491485: | af 5e e5 d3 81 c1 7a a8 65 5b fc 6d fc 5c 35 a9 Sep 21 07:16:31.491487: | 6e 5c 51 89 f3 29 49 be ae 96 c2 5a aa 0f 5b 81 Sep 21 07:16:31.491490: | b7 15 b2 25 8e 25 4b 8c 20 33 09 d2 0f 54 0d 21 Sep 21 07:16:31.491492: | 40 88 bf c2 48 7e af 27 57 12 f0 36 9f 1b ba a6 Sep 21 07:16:31.491493: | 43 e1 89 38 0c f4 c1 ae a9 47 19 a6 ea 63 e8 e6 Sep 21 07:16:31.491494: | 23 ba 7e 6f d5 f1 8d af a1 59 81 fa 5d 0a ff ba Sep 21 07:16:31.491496: | cc 8c e4 47 dc 07 7c f8 0b ba 8c 74 7e 12 c7 02 Sep 21 07:16:31.491497: | 2d f7 63 d3 0b 6f 3d d0 a0 85 e3 36 ba a5 95 dd Sep 21 07:16:31.491498: | 5e 82 3d 61 fc 6b d8 de c1 63 a5 af 38 24 1b 2c Sep 21 07:16:31.491500: | 5d 63 18 9b fc d9 6c 85 5d be f9 52 47 20 77 69 Sep 21 07:16:31.491501: | 30 d2 5a ea 73 24 e6 50 e6 fe ec 73 f7 b5 e9 90 Sep 21 07:16:31.491503: | 70 78 0a 48 31 58 11 13 be 25 ca d4 4b 1a 2c 6b Sep 21 07:16:31.491504: | c3 60 05 0a 40 bf d1 f5 e2 e4 ee 03 92 f4 99 2d Sep 21 07:16:31.491505: | dd 48 db a5 e7 4f d2 5b 44 c7 fc 70 ad ea 52 26 Sep 21 07:16:31.491507: | 87 4f b9 91 c3 32 32 01 6e 54 db a0 90 ed 52 8b Sep 21 07:16:31.491508: | 49 a5 ae c1 ee 3d 3b ac b6 7e 19 c2 9b 5d 87 d9 Sep 21 07:16:31.491509: | ac b3 00 c1 ab 85 b6 2f a6 86 ab f4 09 55 ac 5f Sep 21 07:16:31.491511: | 62 18 e9 3d 61 ed b0 36 0e fb e4 5c 7c bf 53 c7 Sep 21 07:16:31.491512: | ba 89 56 bc 36 da e0 be 4a 87 b5 31 47 a8 6c b6 Sep 21 07:16:31.491513: | d9 fa 86 53 95 1f f8 b2 08 55 e9 2a 73 80 8b 66 Sep 21 07:16:31.491515: | fe 8e b3 0f fa 3f c4 1f 04 3a 42 59 c2 e3 5d 9e Sep 21 07:16:31.491516: | a6 7d 12 f7 dd b0 9c 9b 28 54 30 e4 5a 73 cc f3 Sep 21 07:16:31.491517: | e8 65 ce 42 88 9d 65 e6 b5 01 1e 51 2b d3 8d fe Sep 21 07:16:31.491519: | 36 88 0c 8d 1b d2 df 0e 52 8b 7b 16 38 03 a1 d9 Sep 21 07:16:31.491520: | ee a0 41 53 49 34 74 13 d4 09 32 05 6b b3 0b a2 Sep 21 07:16:31.491521: | 6d 84 b5 c4 d7 c4 67 78 5f 89 45 26 9b e0 23 c2 Sep 21 07:16:31.491523: | 7a 2e c4 fe 5e 36 a3 2c 80 8f 97 fa cb 21 da 81 Sep 21 07:16:31.491524: | 91 cb 3d 40 e1 c7 63 da e9 fc d0 bb e5 4e 7f 3c Sep 21 07:16:31.491526: | 37 2e 77 19 c2 b3 fe 2c 22 1c 4f 21 d8 62 d3 4b Sep 21 07:16:31.491527: | a5 e2 85 26 96 89 1d b5 bf c2 f5 dc e0 39 57 a3 Sep 21 07:16:31.491528: | b9 9c 00 88 81 42 2b 20 e4 fc 76 c7 db 5b db e1 Sep 21 07:16:31.491532: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:16:31.491534: | **parse ISAKMP Message: Sep 21 07:16:31.491535: | initiator cookie: Sep 21 07:16:31.491537: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:31.491538: | responder cookie: Sep 21 07:16:31.491540: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.491541: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:16:31.491543: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:31.491545: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Sep 21 07:16:31.491546: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:16:31.491548: | Message ID: 2 (0x2) Sep 21 07:16:31.491549: | length: 608 (0x260) Sep 21 07:16:31.491551: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Sep 21 07:16:31.491553: | I am the IKE SA Original Initiator receiving an IKEv2 CREATE_CHILD_SA response Sep 21 07:16:31.491556: | State DB: found IKEv2 state #1 in PARENT_I3 (find_v2_ike_sa) Sep 21 07:16:31.491560: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:16:31.491563: | State DB: found IKEv2 state #6 in V2_CREATE_I (find_v2_sa_by_initiator_wip) Sep 21 07:16:31.491565: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2062) Sep 21 07:16:31.491568: | start processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2062) Sep 21 07:16:31.491569: | #6 is idle Sep 21 07:16:31.491571: | #6 idle Sep 21 07:16:31.491572: | unpacking clear payload Sep 21 07:16:31.491574: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:16:31.491577: | ***parse IKEv2 Encryption Payload: Sep 21 07:16:31.491578: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:16:31.491580: | flags: none (0x0) Sep 21 07:16:31.491581: | length: 580 (0x244) Sep 21 07:16:31.491583: | processing payload: ISAKMP_NEXT_v2SK (len=576) Sep 21 07:16:31.491585: | #6 in state V2_CREATE_I: sent IPsec Child req wait response Sep 21 07:16:31.491607: | data for hmac: cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:31.491609: | data for hmac: 2e 20 24 20 00 00 00 02 00 00 02 60 21 00 02 44 Sep 21 07:16:31.491610: | data for hmac: e5 0d ed b7 59 47 df a9 58 77 18 6d 34 7f c7 00 Sep 21 07:16:31.491612: | data for hmac: 8f a4 e0 09 a1 6e cf 5c 19 33 39 47 9f 35 b9 f5 Sep 21 07:16:31.491613: | data for hmac: 3f 70 52 01 88 ac 96 fd a3 cc 59 b9 29 ff 0d e0 Sep 21 07:16:31.491615: | data for hmac: 17 ce bc 91 e0 d8 ee e6 5e bf c9 91 70 95 aa 6a Sep 21 07:16:31.491616: | data for hmac: ec 1b 09 cf a6 97 8f 42 56 89 c9 bf 47 25 6b a9 Sep 21 07:16:31.491617: | data for hmac: af 5e e5 d3 81 c1 7a a8 65 5b fc 6d fc 5c 35 a9 Sep 21 07:16:31.491619: | data for hmac: 6e 5c 51 89 f3 29 49 be ae 96 c2 5a aa 0f 5b 81 Sep 21 07:16:31.491620: | data for hmac: b7 15 b2 25 8e 25 4b 8c 20 33 09 d2 0f 54 0d 21 Sep 21 07:16:31.491622: | data for hmac: 40 88 bf c2 48 7e af 27 57 12 f0 36 9f 1b ba a6 Sep 21 07:16:31.491623: | data for hmac: 43 e1 89 38 0c f4 c1 ae a9 47 19 a6 ea 63 e8 e6 Sep 21 07:16:31.491624: | data for hmac: 23 ba 7e 6f d5 f1 8d af a1 59 81 fa 5d 0a ff ba Sep 21 07:16:31.491626: | data for hmac: cc 8c e4 47 dc 07 7c f8 0b ba 8c 74 7e 12 c7 02 Sep 21 07:16:31.491627: | data for hmac: 2d f7 63 d3 0b 6f 3d d0 a0 85 e3 36 ba a5 95 dd Sep 21 07:16:31.491629: | data for hmac: 5e 82 3d 61 fc 6b d8 de c1 63 a5 af 38 24 1b 2c Sep 21 07:16:31.491630: | data for hmac: 5d 63 18 9b fc d9 6c 85 5d be f9 52 47 20 77 69 Sep 21 07:16:31.491631: | data for hmac: 30 d2 5a ea 73 24 e6 50 e6 fe ec 73 f7 b5 e9 90 Sep 21 07:16:31.491633: | data for hmac: 70 78 0a 48 31 58 11 13 be 25 ca d4 4b 1a 2c 6b Sep 21 07:16:31.491634: | data for hmac: c3 60 05 0a 40 bf d1 f5 e2 e4 ee 03 92 f4 99 2d Sep 21 07:16:31.491636: | data for hmac: dd 48 db a5 e7 4f d2 5b 44 c7 fc 70 ad ea 52 26 Sep 21 07:16:31.491637: | data for hmac: 87 4f b9 91 c3 32 32 01 6e 54 db a0 90 ed 52 8b Sep 21 07:16:31.491638: | data for hmac: 49 a5 ae c1 ee 3d 3b ac b6 7e 19 c2 9b 5d 87 d9 Sep 21 07:16:31.491640: | data for hmac: ac b3 00 c1 ab 85 b6 2f a6 86 ab f4 09 55 ac 5f Sep 21 07:16:31.491641: | data for hmac: 62 18 e9 3d 61 ed b0 36 0e fb e4 5c 7c bf 53 c7 Sep 21 07:16:31.491643: | data for hmac: ba 89 56 bc 36 da e0 be 4a 87 b5 31 47 a8 6c b6 Sep 21 07:16:31.491644: | data for hmac: d9 fa 86 53 95 1f f8 b2 08 55 e9 2a 73 80 8b 66 Sep 21 07:16:31.491645: | data for hmac: fe 8e b3 0f fa 3f c4 1f 04 3a 42 59 c2 e3 5d 9e Sep 21 07:16:31.491647: | data for hmac: a6 7d 12 f7 dd b0 9c 9b 28 54 30 e4 5a 73 cc f3 Sep 21 07:16:31.491648: | data for hmac: e8 65 ce 42 88 9d 65 e6 b5 01 1e 51 2b d3 8d fe Sep 21 07:16:31.491650: | data for hmac: 36 88 0c 8d 1b d2 df 0e 52 8b 7b 16 38 03 a1 d9 Sep 21 07:16:31.491651: | data for hmac: ee a0 41 53 49 34 74 13 d4 09 32 05 6b b3 0b a2 Sep 21 07:16:31.491652: | data for hmac: 6d 84 b5 c4 d7 c4 67 78 5f 89 45 26 9b e0 23 c2 Sep 21 07:16:31.491654: | data for hmac: 7a 2e c4 fe 5e 36 a3 2c 80 8f 97 fa cb 21 da 81 Sep 21 07:16:31.491655: | data for hmac: 91 cb 3d 40 e1 c7 63 da e9 fc d0 bb e5 4e 7f 3c Sep 21 07:16:31.491656: | data for hmac: 37 2e 77 19 c2 b3 fe 2c 22 1c 4f 21 d8 62 d3 4b Sep 21 07:16:31.491658: | data for hmac: a5 e2 85 26 96 89 1d b5 bf c2 f5 dc e0 39 57 a3 Sep 21 07:16:31.491659: | calculated auth: b9 9c 00 88 81 42 2b 20 e4 fc 76 c7 db 5b db e1 Sep 21 07:16:31.491661: | provided auth: b9 9c 00 88 81 42 2b 20 e4 fc 76 c7 db 5b db e1 Sep 21 07:16:31.491662: | authenticator matched Sep 21 07:16:31.491670: | #6 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success Sep 21 07:16:31.491672: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:16:31.491674: | **parse IKEv2 Security Association Payload: Sep 21 07:16:31.491676: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:16:31.491677: | flags: none (0x0) Sep 21 07:16:31.491679: | length: 52 (0x34) Sep 21 07:16:31.491680: | processing payload: ISAKMP_NEXT_v2SA (len=48) Sep 21 07:16:31.491681: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:16:31.491683: | **parse IKEv2 Nonce Payload: Sep 21 07:16:31.491684: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:16:31.491686: | flags: none (0x0) Sep 21 07:16:31.491687: | length: 36 (0x24) Sep 21 07:16:31.491689: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:16:31.491690: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:16:31.491692: | **parse IKEv2 Key Exchange Payload: Sep 21 07:16:31.491693: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:16:31.491695: | flags: none (0x0) Sep 21 07:16:31.491696: | length: 392 (0x188) Sep 21 07:16:31.491698: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:31.491699: | processing payload: ISAKMP_NEXT_v2KE (len=384) Sep 21 07:16:31.491701: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:16:31.491702: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:16:31.491704: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:16:31.491705: | flags: none (0x0) Sep 21 07:16:31.491706: | length: 24 (0x18) Sep 21 07:16:31.491708: | number of TS: 1 (0x1) Sep 21 07:16:31.491709: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:16:31.491711: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:16:31.491712: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:16:31.491714: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:31.491715: | flags: none (0x0) Sep 21 07:16:31.491716: | length: 24 (0x18) Sep 21 07:16:31.491718: | number of TS: 1 (0x1) Sep 21 07:16:31.491719: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:16:31.491721: | selected state microcode Process CREATE_CHILD_SA IPsec SA Response Sep 21 07:16:31.491724: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:16:31.491726: | forcing ST #6 to CHILD #1.#6 in FSM processor Sep 21 07:16:31.491727: | Now let's proceed with state specific processing Sep 21 07:16:31.491729: | calling processor Process CREATE_CHILD_SA IPsec SA Response Sep 21 07:16:31.491734: | using existing local ESP/AH proposals for north-eastnets/0x2 (CREATE_CHILD_SA initiator accepting remote ESP/AH proposal): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Sep 21 07:16:31.491736: | Comparing remote proposals against CREATE_CHILD_SA initiator accepting remote ESP/AH proposal 1 local proposals Sep 21 07:16:31.491739: | local proposal 1 type ENCR has 1 transforms Sep 21 07:16:31.491740: | local proposal 1 type PRF has 0 transforms Sep 21 07:16:31.491742: | local proposal 1 type INTEG has 1 transforms Sep 21 07:16:31.491743: | local proposal 1 type DH has 1 transforms Sep 21 07:16:31.491745: | local proposal 1 type ESN has 1 transforms Sep 21 07:16:31.491747: | local proposal 1 transforms: required: ENCR+INTEG+DH+ESN; optional: none Sep 21 07:16:31.491749: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:16:31.491750: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:16:31.491752: | length: 48 (0x30) Sep 21 07:16:31.491753: | prop #: 1 (0x1) Sep 21 07:16:31.491755: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:16:31.491756: | spi size: 4 (0x4) Sep 21 07:16:31.491757: | # transforms: 4 (0x4) Sep 21 07:16:31.491759: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:16:31.491761: | remote SPI 18 ee 80 5c Sep 21 07:16:31.491763: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Sep 21 07:16:31.491766: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.491767: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.491769: | length: 12 (0xc) Sep 21 07:16:31.491770: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:16:31.491772: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:16:31.491773: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:16:31.491775: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:16:31.491776: | length/value: 128 (0x80) Sep 21 07:16:31.491779: | remote proposal 1 transform 0 (ENCR=AES_CBC_128) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:16:31.491781: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.491782: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.491804: | length: 8 (0x8) Sep 21 07:16:31.491807: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:16:31.491810: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:16:31.491812: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_512_256) matches local proposal 1 type 3 (INTEG) transform 0 Sep 21 07:16:31.491814: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.491816: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:16:31.491817: | length: 8 (0x8) Sep 21 07:16:31.491818: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:16:31.491820: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:16:31.491822: | remote proposal 1 transform 2 (DH=MODP3072) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:16:31.491823: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:16:31.491825: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:16:31.491826: | length: 8 (0x8) Sep 21 07:16:31.491828: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:16:31.491829: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:16:31.491831: | remote proposal 1 transform 3 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:16:31.491834: | remote proposal 1 proposed transforms: ENCR+INTEG+DH+ESN; matched: ENCR+INTEG+DH+ESN; unmatched: none Sep 21 07:16:31.491836: | comparing remote proposal 1 containing ENCR+INTEG+DH+ESN transforms to local proposal 1; required: ENCR+INTEG+DH+ESN; optional: none; matched: ENCR+INTEG+DH+ESN Sep 21 07:16:31.491838: | remote proposal 1 matches local proposal 1 Sep 21 07:16:31.491840: | remote accepted the proposal 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED[first-match] Sep 21 07:16:31.491843: | CREATE_CHILD_SA initiator accepting remote ESP/AH proposal ikev2_proposal: 1:ESP:SPI=18ee805c;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Sep 21 07:16:31.491845: | converting proposal to internal trans attrs Sep 21 07:16:31.491848: | updating #6's .st_oakley with preserved PRF, but why update? Sep 21 07:16:31.491851: | adding ikev2 Child SA initiator pfs=yes work-order 8 for state #6 Sep 21 07:16:31.491866: | state #6 requesting EVENT_RETRANSMIT to be deleted Sep 21 07:16:31.491868: | #6 STATE_V2_CREATE_I: retransmits: cleared Sep 21 07:16:31.491870: | libevent_free: release ptr-libevent@0x563a209a1ba0 Sep 21 07:16:31.491872: | free_event_entry: release EVENT_RETRANSMIT-pe@0x563a209958a0 Sep 21 07:16:31.491874: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563a209958a0 Sep 21 07:16:31.491876: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #6 Sep 21 07:16:31.491878: | libevent_malloc: new ptr-libevent@0x563a209a1ba0 size 128 Sep 21 07:16:31.491885: | #6 spent 0.148 milliseconds in processing: Process CREATE_CHILD_SA IPsec SA Response in ikev2_process_state_packet() Sep 21 07:16:31.491903: | [RE]START processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.491906: | #6 complete_v2_state_transition() V2_CREATE_I->V2_IPSEC_I with status STF_SUSPEND Sep 21 07:16:31.491907: | suspending state #6 and saving MD Sep 21 07:16:31.491909: | crypto helper 0 resuming Sep 21 07:16:31.491919: | crypto helper 0 starting work-order 8 for state #6 Sep 21 07:16:31.491910: | #6 is busy; has a suspended MD Sep 21 07:16:31.491923: | crypto helper 0 doing crypto (ikev2 Child SA initiator pfs=yes); request ID 8 Sep 21 07:16:31.491928: | [RE]START processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:16:31.491937: | "north-eastnets/0x2" #6 complete v2 state STATE_V2_CREATE_I transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:16:31.491940: | stop processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:16:31.491943: | #1 spent 0.477 milliseconds in ikev2_process_packet() Sep 21 07:16:31.491946: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:16:31.491948: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:16:31.491949: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:16:31.491952: | spent 0.486 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:16:31.493658: | crypto helper 0 finished crypto (ikev2 Child SA initiator pfs=yes); request ID 8 time elapsed 0.001735 seconds Sep 21 07:16:31.493669: | (#6) spent 1.73 milliseconds in crypto helper computing work-order 8: ikev2 Child SA initiator pfs=yes (dh) Sep 21 07:16:31.493672: | crypto helper 0 sending results from work-order 8 for state #6 to event queue Sep 21 07:16:31.493674: | scheduling resume sending helper answer for #6 Sep 21 07:16:31.493676: | libevent_malloc: new ptr-libevent@0x7f7808006b50 size 128 Sep 21 07:16:31.493683: | crypto helper 0 waiting (nothing to do) Sep 21 07:16:31.493694: | processing resume sending helper answer for #6 Sep 21 07:16:31.493704: | start processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:16:31.493710: | crypto helper 0 replies to request ID 8 Sep 21 07:16:31.493713: | calling continuation function 0x563a1ff214f0 Sep 21 07:16:31.493717: | ikev2_child_inR_continue for #6 STATE_V2_CREATE_I Sep 21 07:16:31.493720: | TSi: parsing 1 traffic selectors Sep 21 07:16:31.493723: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:31.493725: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.493728: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.493731: | length: 16 (0x10) Sep 21 07:16:31.493733: | start port: 0 (0x0) Sep 21 07:16:31.493735: | end port: 65535 (0xffff) Sep 21 07:16:31.493739: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:31.493741: | TS low c0 00 16 00 Sep 21 07:16:31.493743: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:31.493745: | TS high c0 00 16 ff Sep 21 07:16:31.493748: | TSi: parsed 1 traffic selectors Sep 21 07:16:31.493750: | TSr: parsing 1 traffic selectors Sep 21 07:16:31.493752: | ***parse IKEv2 Traffic Selector: Sep 21 07:16:31.493754: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:16:31.493757: | IP Protocol ID: 0 (0x0) Sep 21 07:16:31.493759: | length: 16 (0x10) Sep 21 07:16:31.493761: | start port: 0 (0x0) Sep 21 07:16:31.493763: | end port: 65535 (0xffff) Sep 21 07:16:31.493765: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:16:31.493767: | TS low c0 00 03 00 Sep 21 07:16:31.493770: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:16:31.493772: | TS high c0 00 03 ff Sep 21 07:16:31.493775: | TSr: parsed 1 traffic selectors Sep 21 07:16:31.493780: | evaluating our conn="north-eastnets/0x2" I=192.0.22.0/24:0:0/0 R=192.0.3.0/24:0:0/0 to their: Sep 21 07:16:31.493793: | TSi[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.493802: | match address end->client=192.0.22.0/24 == TSi[0]net=192.0.22.0-192.0.22.255: YES fitness 32 Sep 21 07:16:31.493806: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:16:31.493808: | TSi[0] port match: YES fitness 65536 Sep 21 07:16:31.493814: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:16:31.493817: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.493822: | TSr[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:16:31.493828: | match address end->client=192.0.3.0/24 == TSr[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:16:31.493831: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:16:31.493833: | TSr[0] port match: YES fitness 65536 Sep 21 07:16:31.493836: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:16:31.493839: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:16:31.493842: | best fit so far: TSi[0] TSr[0] Sep 21 07:16:31.493844: | found an acceptable TSi/TSr Traffic Selector Sep 21 07:16:31.493847: | printing contents struct traffic_selector Sep 21 07:16:31.493849: | ts_type: IKEv2_TS_IPV6_ADDR_RANGE Sep 21 07:16:31.493851: | ipprotoid: 0 Sep 21 07:16:31.493853: | port range: 0-65535 Sep 21 07:16:31.493857: | ip range: 192.0.22.0-192.0.22.255 Sep 21 07:16:31.493859: | printing contents struct traffic_selector Sep 21 07:16:31.493861: | ts_type: IKEv2_TS_IPV6_ADDR_RANGE Sep 21 07:16:31.493863: | ipprotoid: 0 Sep 21 07:16:31.493865: | port range: 0-65535 Sep 21 07:16:31.493868: | ip range: 192.0.3.0-192.0.3.255 Sep 21 07:16:31.493872: | integ=sha2_512: .key_size=64 encrypt=aes: .key_size=16 .salt_size=0 keymat_len=80 Sep 21 07:16:31.494188: | install_ipsec_sa() for #6: inbound and outbound Sep 21 07:16:31.494194: | could_route called for north-eastnets/0x2 (kind=CK_PERMANENT) Sep 21 07:16:31.494197: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:31.494200: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.494202: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:31.494205: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.494208: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:31.494212: | route owner of "north-eastnets/0x2" erouted: self; eroute owner: self Sep 21 07:16:31.494215: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:31.494219: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:31.494222: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:31.494226: | setting IPsec SA replay-window to 32 Sep 21 07:16:31.494229: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Sep 21 07:16:31.494233: | netlink: enabling tunnel mode Sep 21 07:16:31.494236: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:31.494239: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:31.494327: | netlink response for Add SA esp.18ee805c@192.1.3.33 included non-error error Sep 21 07:16:31.494331: | set up outgoing SA, ref=0/0 Sep 21 07:16:31.494334: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Sep 21 07:16:31.494337: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Sep 21 07:16:31.494339: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Sep 21 07:16:31.494342: | setting IPsec SA replay-window to 32 Sep 21 07:16:31.494345: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Sep 21 07:16:31.494347: | netlink: enabling tunnel mode Sep 21 07:16:31.494350: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:16:31.494352: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:16:31.494397: | netlink response for Add SA esp.43bbc6ab@192.1.2.23 included non-error error Sep 21 07:16:31.494401: | set up incoming SA, ref=0/0 Sep 21 07:16:31.494403: | sr for #6: erouted Sep 21 07:16:31.494406: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:16:31.494408: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:31.494413: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.494415: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:31.494418: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:31.494420: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:31.494423: | route owner of "north-eastnets/0x2" erouted: self; eroute owner: self Sep 21 07:16:31.494427: | route_and_eroute with c: north-eastnets/0x2 (next: none) ero:north-eastnets/0x2 esr:{(nil)} ro:north-eastnets/0x2 rosr:{(nil)} and state: #6 Sep 21 07:16:31.494430: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:31.494438: | eroute_connection replace eroute 192.0.22.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33>tun.0@192.1.3.33 (raw_eroute) Sep 21 07:16:31.494441: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:31.494480: | raw_eroute result=success Sep 21 07:16:31.494483: | route_and_eroute: firewall_notified: true Sep 21 07:16:31.494499: | route_and_eroute: instance "north-eastnets/0x2", setting eroute_owner {spd=0x563a2098e5a0,sr=0x563a2098e5a0} to #6 (was #4) (newest_ipsec_sa=#4) Sep 21 07:16:31.494553: | #1 spent 0.333 milliseconds in install_ipsec_sa() Sep 21 07:16:31.494558: | inR2: instance north-eastnets/0x2[0], setting IKEv2 newest_ipsec_sa to #6 (was #4) (spd.eroute=#6) cloned from #1 Sep 21 07:16:31.494560: | state #6 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:16:31.494564: | libevent_free: release ptr-libevent@0x563a209a1ba0 Sep 21 07:16:31.494567: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563a209958a0 Sep 21 07:16:31.494572: | [RE]START processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:16:31.494576: | #6 complete_v2_state_transition() V2_CREATE_I->V2_IPSEC_I with status STF_OK Sep 21 07:16:31.494578: | IKEv2: transition from state STATE_V2_CREATE_I to state STATE_V2_IPSEC_I Sep 21 07:16:31.494582: | child state #6: V2_CREATE_I(established IKE SA) => V2_IPSEC_I(established CHILD SA) Sep 21 07:16:31.494584: | Message ID: updating counters for #6 to 2 after switching state Sep 21 07:16:31.494589: | Message ID: recv #1.#6 response 2; ike: initiator.sent=2 initiator.recv=1->2 responder.sent=-1 responder.recv=-1; child: wip.initiator=2->-1 wip.responder=-1 Sep 21 07:16:31.494593: | Message ID: #1.#6 skipping update_send as nothing to send; initiator.sent=2 initiator.recv=2 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1 Sep 21 07:16:31.494596: | pstats #6 ikev2.child established Sep 21 07:16:31.494603: "north-eastnets/0x2" #6: negotiated connection [192.0.22.0-192.0.22.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Sep 21 07:16:31.494606: | NAT-T: encaps is 'auto' Sep 21 07:16:31.494610: "north-eastnets/0x2" #6: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0x18ee805c <0x43bbc6ab xfrm=AES_CBC_128-HMAC_SHA2_512_256-MODP3072 NATOA=none NATD=none DPD=passive} Sep 21 07:16:31.494613: | releasing whack for #6 (sock=fd@-1) Sep 21 07:16:31.494616: | releasing whack and unpending for parent #1 Sep 21 07:16:31.494618: | unpending state #1 connection "north-eastnets/0x2" Sep 21 07:16:31.494622: | #6 will start re-keying in 27838 seconds with margin of 962 seconds (attempting re-key) Sep 21 07:16:31.494625: | event_schedule: new EVENT_SA_REKEY-pe@0x563a209958a0 Sep 21 07:16:31.494628: | inserting event EVENT_SA_REKEY, timeout in 27838 seconds for #6 Sep 21 07:16:31.494631: | libevent_malloc: new ptr-libevent@0x563a209a1ba0 size 128 Sep 21 07:16:31.494636: | #6 spent 0.89 milliseconds in resume sending helper answer Sep 21 07:16:31.494641: | stop processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:16:31.494644: | libevent_free: release ptr-libevent@0x7f7808006b50 Sep 21 07:16:32.842274: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:32.842295: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Sep 21 07:16:32.842302: | FOR_EACH_STATE_... in sort_states Sep 21 07:16:32.842309: | get_sa_info esp.ecbd618@192.1.2.23 Sep 21 07:16:32.842323: | get_sa_info esp.2d973bf0@192.1.3.33 Sep 21 07:16:32.842336: | get_sa_info esp.4066dd7c@192.1.2.23 Sep 21 07:16:32.842345: | get_sa_info esp.fff4871b@192.1.3.33 Sep 21 07:16:32.842356: | get_sa_info esp.543d207b@192.1.2.23 Sep 21 07:16:32.842364: | get_sa_info esp.c8d0fe50@192.1.3.33 Sep 21 07:16:32.842374: | get_sa_info esp.43bbc6ab@192.1.2.23 Sep 21 07:16:32.842381: | get_sa_info esp.18ee805c@192.1.3.33 Sep 21 07:16:32.842393: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:16:32.842401: | spent 0.133 milliseconds in whack Sep 21 07:16:33.909883: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:16:33.909902: shutting down Sep 21 07:16:33.909910: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Sep 21 07:16:33.909914: | pluto_sd: executing action action: stopping(6), status 0 Sep 21 07:16:33.909921: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:16:33.909923: forgetting secrets Sep 21 07:16:33.909928: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:16:33.909932: | unreference key: 0x563a208e68f0 @east cnt 1-- Sep 21 07:16:33.909935: | unreference key: 0x563a20914f60 @north cnt 3-- Sep 21 07:16:33.909939: | start processing: connection "north-eastnets/0x2" (in delete_connection() at connections.c:189) Sep 21 07:16:33.909943: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:16:33.909945: | pass 0 Sep 21 07:16:33.909947: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:16:33.909950: | state #6 Sep 21 07:16:33.909953: | suspend processing: connection "north-eastnets/0x2" (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:16:33.909959: | start processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:16:33.909962: | pstats #6 ikev2.child deleted completed Sep 21 07:16:33.909966: | #6 spent 5.46 milliseconds in total Sep 21 07:16:33.909970: | [RE]START processing: state #6 connection "north-eastnets/0x2" from 192.1.3.33:500 (in delete_state() at state.c:879) Sep 21 07:16:33.909975: "north-eastnets/0x2" #6: deleting state (STATE_V2_IPSEC_I) aged 2.455s and sending notification Sep 21 07:16:33.909978: | child state #6: V2_IPSEC_I(established CHILD SA) => delete Sep 21 07:16:33.909983: | get_sa_info esp.18ee805c@192.1.3.33 Sep 21 07:16:33.910490: | get_sa_info esp.43bbc6ab@192.1.2.23 Sep 21 07:16:33.910506: "north-eastnets/0x2" #6: ESP traffic information: in=0B out=0B Sep 21 07:16:33.910512: | #6 send IKEv2 delete notification for STATE_V2_IPSEC_I Sep 21 07:16:33.910515: | Opening output PBS informational exchange delete request Sep 21 07:16:33.910519: | **emit ISAKMP Message: Sep 21 07:16:33.910522: | initiator cookie: Sep 21 07:16:33.910525: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:33.910527: | responder cookie: Sep 21 07:16:33.910530: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.910533: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:33.910536: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.910539: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:16:33.910543: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:33.910545: | Message ID: 3 (0x3) Sep 21 07:16:33.910549: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:33.910553: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:33.910556: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.910558: | flags: none (0x0) Sep 21 07:16:33.910561: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:33.910565: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:16:33.910572: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:33.910586: | ****emit IKEv2 Delete Payload: Sep 21 07:16:33.910590: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.910592: | flags: none (0x0) Sep 21 07:16:33.910595: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:16:33.910597: | SPI size: 4 (0x4) Sep 21 07:16:33.910600: | number of SPIs: 1 (0x1) Sep 21 07:16:33.910603: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:16:33.910606: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:16:33.910610: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Sep 21 07:16:33.910612: | local spis 43 bb c6 ab Sep 21 07:16:33.910615: | emitting length of IKEv2 Delete Payload: 12 Sep 21 07:16:33.910618: | adding 4 bytes of padding (including 1 byte padding-length) Sep 21 07:16:33.910621: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.910624: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.910627: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.910630: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.910633: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:33.910636: | emitting length of IKEv2 Encryption Payload: 52 Sep 21 07:16:33.910638: | emitting length of ISAKMP Message: 80 Sep 21 07:16:33.910676: | data being hmac: cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.910680: | data being hmac: 2e 20 25 08 00 00 00 03 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.910682: | data being hmac: a1 26 be bf 3c 8a b6 b1 6c 4f 40 d6 be d9 a0 d7 Sep 21 07:16:33.910684: | data being hmac: 3a 3a 6d ed 84 58 5a 1a 3c 3d 33 3c 43 56 4b d0 Sep 21 07:16:33.910686: | out calculated auth: Sep 21 07:16:33.910688: | a1 24 5b 12 3b 40 a0 7b d7 93 d7 4a 72 65 db f4 Sep 21 07:16:33.910702: | sending 80 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #6) Sep 21 07:16:33.910705: | cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.910707: | 2e 20 25 08 00 00 00 03 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.910709: | a1 26 be bf 3c 8a b6 b1 6c 4f 40 d6 be d9 a0 d7 Sep 21 07:16:33.910711: | 3a 3a 6d ed 84 58 5a 1a 3c 3d 33 3c 43 56 4b d0 Sep 21 07:16:33.910713: | a1 24 5b 12 3b 40 a0 7b d7 93 d7 4a 72 65 db f4 Sep 21 07:16:33.910764: | Message ID: IKE #1 sender #6 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Sep 21 07:16:33.910768: | Message ID: IKE #1 sender #6 in send_delete hacking around record ' send Sep 21 07:16:33.910772: | Message ID: sent #1 request 3; ike: initiator.sent=2->3 initiator.recv=2 responder.sent=-1 responder.recv=-1 wip.initiator=-1->3 wip.responder=-1 Sep 21 07:16:33.910775: | state #6 requesting EVENT_SA_REKEY to be deleted Sep 21 07:16:33.910780: | libevent_free: release ptr-libevent@0x563a209a1ba0 Sep 21 07:16:33.910788: | free_event_entry: release EVENT_SA_REKEY-pe@0x563a209958a0 Sep 21 07:16:33.913850: | running updown command "ipsec _updown" for verb down Sep 21 07:16:33.913860: | command executing down-client Sep 21 07:16:33.913889: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.22.0/24' PLUTO_MY_CLIENT_NET='192.0.22.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050191' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED= Sep 21 07:16:33.913898: | popen cmd is 1054 chars long Sep 21 07:16:33.913901: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x: Sep 21 07:16:33.913903: | cmd( 80):2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUT: Sep 21 07:16:33.913906: | cmd( 160):O_MY_ID='@east' PLUTO_MY_CLIENT='192.0.22.0/24' PLUTO_MY_CLIENT_NET='192.0.22.0': Sep 21 07:16:33.913908: | cmd( 240): PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PL: Sep 21 07:16:33.913910: | cmd( 320):UTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID=': Sep 21 07:16:33.913913: | cmd( 400):@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO: Sep 21 07:16:33.913915: | cmd( 480):_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PL: Sep 21 07:16:33.913917: | cmd( 560):UTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050191' PLUTO_CONN_POLICY: Sep 21 07:16:33.913920: | cmd( 640):='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PL: Sep 21 07:16:33.913922: | cmd( 720):UTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_I: Sep 21 07:16:33.913924: | cmd( 800):S_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BAN: Sep 21 07:16:33.913927: | cmd( 880):NER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFA: Sep 21 07:16:33.913929: | cmd( 960):CE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x18ee805c SPI_OUT=0x43bbc6ab ipse: Sep 21 07:16:33.913931: | cmd(1040):c _updown 2>&1: Sep 21 07:16:33.924584: | shunt_eroute() called for connection 'north-eastnets/0x2' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.22.0/24:0 --0->- 192.0.3.0/24:0 Sep 21 07:16:33.924602: | netlink_shunt_eroute for proto 0, and source 192.0.22.0/24:0 dest 192.0.3.0/24:0 Sep 21 07:16:33.924606: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:33.924609: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:33.924659: | delete esp.18ee805c@192.1.3.33 Sep 21 07:16:33.924694: | netlink response for Del SA esp.18ee805c@192.1.3.33 included non-error error Sep 21 07:16:33.924697: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:33.924704: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.22.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Sep 21 07:16:33.924745: | raw_eroute result=success Sep 21 07:16:33.924749: | delete esp.43bbc6ab@192.1.2.23 Sep 21 07:16:33.924775: | netlink response for Del SA esp.43bbc6ab@192.1.2.23 included non-error error Sep 21 07:16:33.924782: | stop processing: connection "north-eastnets/0x2" (BACKGROUND) (in update_state_connection() at connections.c:4037) Sep 21 07:16:33.924813: | start processing: connection NULL (in update_state_connection() at connections.c:4038) Sep 21 07:16:33.924816: | in connection_discard for connection north-eastnets/0x2 Sep 21 07:16:33.924819: | State DB: deleting IKEv2 state #6 in V2_IPSEC_I Sep 21 07:16:33.924823: | child state #6: V2_IPSEC_I(established CHILD SA) => UNDEFINED(ignore) Sep 21 07:16:33.924844: | stop processing: state #6 from 192.1.3.33:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.924852: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:16:33.924855: | state #5 Sep 21 07:16:33.924860: | start processing: state #5 connection "north-eastnets/0x1" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:16:33.924867: | pstats #5 ikev2.child deleted completed Sep 21 07:16:33.924874: | #5 spent 0.813 milliseconds in total Sep 21 07:16:33.924878: | [RE]START processing: state #5 connection "north-eastnets/0x1" from 192.1.3.33:500 (in delete_state() at state.c:879) Sep 21 07:16:33.924883: "north-eastnets/0x1" #5: deleting state (STATE_V2_IPSEC_I) aged 2.487s and sending notification Sep 21 07:16:33.924886: | child state #5: V2_IPSEC_I(established CHILD SA) => delete Sep 21 07:16:33.924890: | get_sa_info esp.fff4871b@192.1.3.33 Sep 21 07:16:33.924899: | get_sa_info esp.4066dd7c@192.1.2.23 Sep 21 07:16:33.924906: "north-eastnets/0x1" #5: ESP traffic information: in=0B out=0B Sep 21 07:16:33.924909: | #5 send IKEv2 delete notification for STATE_V2_IPSEC_I Sep 21 07:16:33.924912: | Opening output PBS informational exchange delete request Sep 21 07:16:33.924915: | **emit ISAKMP Message: Sep 21 07:16:33.924918: | initiator cookie: Sep 21 07:16:33.924920: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:33.924922: | responder cookie: Sep 21 07:16:33.924924: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.924928: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:33.924930: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.924933: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:16:33.924936: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:33.924939: | Message ID: 4 (0x4) Sep 21 07:16:33.924942: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:33.924945: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:33.924947: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.924950: | flags: none (0x0) Sep 21 07:16:33.924953: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:33.924956: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:16:33.924959: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:33.924966: | ****emit IKEv2 Delete Payload: Sep 21 07:16:33.924969: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.924971: | flags: none (0x0) Sep 21 07:16:33.924974: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:16:33.924976: | SPI size: 4 (0x4) Sep 21 07:16:33.924979: | number of SPIs: 1 (0x1) Sep 21 07:16:33.924982: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:16:33.924985: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:16:33.924988: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Sep 21 07:16:33.924991: | local spis 40 66 dd 7c Sep 21 07:16:33.924993: | emitting length of IKEv2 Delete Payload: 12 Sep 21 07:16:33.924996: | adding 4 bytes of padding (including 1 byte padding-length) Sep 21 07:16:33.924999: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.925002: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.925004: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.925007: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.925010: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:33.925013: | emitting length of IKEv2 Encryption Payload: 52 Sep 21 07:16:33.925015: | emitting length of ISAKMP Message: 80 Sep 21 07:16:33.925052: | data being hmac: cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.925055: | data being hmac: 2e 20 25 08 00 00 00 04 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.925058: | data being hmac: b1 89 5e 1f 50 e0 ad 0f 46 31 ee 6f 37 15 34 9a Sep 21 07:16:33.925062: | data being hmac: 73 0d e9 9c dd 33 d1 3d 56 60 42 25 c4 6a 47 9a Sep 21 07:16:33.925064: | out calculated auth: Sep 21 07:16:33.925067: | 13 97 fd 4e 67 db 4b ab 60 b5 dc 6a 70 79 17 62 Sep 21 07:16:33.925075: | sending 80 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #5) Sep 21 07:16:33.925077: | cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.925079: | 2e 20 25 08 00 00 00 04 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.925082: | b1 89 5e 1f 50 e0 ad 0f 46 31 ee 6f 37 15 34 9a Sep 21 07:16:33.925084: | 73 0d e9 9c dd 33 d1 3d 56 60 42 25 c4 6a 47 9a Sep 21 07:16:33.925086: | 13 97 fd 4e 67 db 4b ab 60 b5 dc 6a 70 79 17 62 Sep 21 07:16:33.925130: | Message ID: IKE #1 sender #5 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Sep 21 07:16:33.925134: | Message ID: IKE #1 sender #5 in send_delete hacking around record ' send Sep 21 07:16:33.925139: | Message ID: #1 XXX: expecting sender.wip.initiator 3 == -1 - suspect record'n'send out-of-order?); initiator.sent=4 initiator.recv=2 responder.sent=-1 responder.recv=-1 wip.initiator=4 wip.responder=-1 Sep 21 07:16:33.925143: | Message ID: sent #1 request 4; ike: initiator.sent=3->4 initiator.recv=2 responder.sent=-1 responder.recv=-1 wip.initiator=3->4 wip.responder=-1 Sep 21 07:16:33.925146: | state #5 requesting EVENT_SA_REKEY to be deleted Sep 21 07:16:33.925151: | libevent_free: release ptr-libevent@0x7f77f0001100 Sep 21 07:16:33.925154: | free_event_entry: release EVENT_SA_REKEY-pe@0x563a20998590 Sep 21 07:16:33.925220: | running updown command "ipsec _updown" for verb down Sep 21 07:16:33.925224: | command executing down-client Sep 21 07:16:33.925252: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050191' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='n Sep 21 07:16:33.925255: | popen cmd is 1052 chars long Sep 21 07:16:33.925258: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x: Sep 21 07:16:33.925261: | cmd( 80):1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUT: Sep 21 07:16:33.925263: | cmd( 160):O_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' P: Sep 21 07:16:33.925266: | cmd( 240):LUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUT: Sep 21 07:16:33.925268: | cmd( 320):O_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@n: Sep 21 07:16:33.925271: | cmd( 400):orth' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_P: Sep 21 07:16:33.925273: | cmd( 480):EER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Sep 21 07:16:33.925276: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050191' PLUTO_CONN_POLICY=': Sep 21 07:16:33.925278: | cmd( 640):RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUT: Sep 21 07:16:33.925281: | cmd( 720):O_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_: Sep 21 07:16:33.925286: | cmd( 800):PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNE: Sep 21 07:16:33.925288: | cmd( 880):R='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE: Sep 21 07:16:33.925291: | cmd( 960):='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xfff4871b SPI_OUT=0x4066dd7c ipsec : Sep 21 07:16:33.925293: | cmd(1040):_updown 2>&1: Sep 21 07:16:33.933993: | shunt_eroute() called for connection 'north-eastnets/0x1' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.0/24:0 Sep 21 07:16:33.934009: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.0/24:0 Sep 21 07:16:33.934013: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:33.934017: | IPsec Sa SPD priority set to 1042407 Sep 21 07:16:33.934069: | delete esp.fff4871b@192.1.3.33 Sep 21 07:16:33.934132: | netlink response for Del SA esp.fff4871b@192.1.3.33 included non-error error Sep 21 07:16:33.934138: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:33.934146: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Sep 21 07:16:33.934194: | raw_eroute result=success Sep 21 07:16:33.934199: | delete esp.4066dd7c@192.1.2.23 Sep 21 07:16:33.934222: | netlink response for Del SA esp.4066dd7c@192.1.2.23 included non-error error Sep 21 07:16:33.934228: | in connection_discard for connection north-eastnets/0x1 Sep 21 07:16:33.934231: | State DB: deleting IKEv2 state #5 in V2_IPSEC_I Sep 21 07:16:33.934235: | child state #5: V2_IPSEC_I(established CHILD SA) => UNDEFINED(ignore) Sep 21 07:16:33.934242: | stop processing: state #5 from 192.1.3.33:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.934248: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:16:33.934251: | state #4 Sep 21 07:16:33.934257: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:16:33.934260: | pstats #4 ikev2.child deleted completed Sep 21 07:16:33.934265: | #4 spent 5.68 milliseconds in total Sep 21 07:16:33.934270: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.3.33:500 (in delete_state() at state.c:879) Sep 21 07:16:33.934275: "north-eastnets/0x2" #4: deleting state (STATE_V2_IPSEC_R) aged 2.497s and sending notification Sep 21 07:16:33.934278: | child state #4: V2_IPSEC_R(established CHILD SA) => delete Sep 21 07:16:33.934282: | get_sa_info esp.c8d0fe50@192.1.3.33 Sep 21 07:16:33.934292: | get_sa_info esp.543d207b@192.1.2.23 Sep 21 07:16:33.934301: "north-eastnets/0x2" #4: ESP traffic information: in=756B out=756B Sep 21 07:16:33.934305: | #4 send IKEv2 delete notification for STATE_V2_IPSEC_R Sep 21 07:16:33.934308: | Opening output PBS informational exchange delete request Sep 21 07:16:33.934311: | **emit ISAKMP Message: Sep 21 07:16:33.934314: | initiator cookie: Sep 21 07:16:33.934316: | df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:33.934319: | responder cookie: Sep 21 07:16:33.934321: | 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:33.934324: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:33.934327: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.934330: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:16:33.934333: | flags: none (0x0) Sep 21 07:16:33.934335: | Message ID: 0 (0x0) Sep 21 07:16:33.934338: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:33.934341: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:33.934344: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.934346: | flags: none (0x0) Sep 21 07:16:33.934350: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:33.934352: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:16:33.934359: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:33.934373: | ****emit IKEv2 Delete Payload: Sep 21 07:16:33.934377: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.934379: | flags: none (0x0) Sep 21 07:16:33.934382: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:16:33.934384: | SPI size: 4 (0x4) Sep 21 07:16:33.934387: | number of SPIs: 1 (0x1) Sep 21 07:16:33.934390: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:16:33.934393: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:16:33.934396: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Sep 21 07:16:33.934399: | local spis 54 3d 20 7b Sep 21 07:16:33.934401: | emitting length of IKEv2 Delete Payload: 12 Sep 21 07:16:33.934404: | adding 4 bytes of padding (including 1 byte padding-length) Sep 21 07:16:33.934408: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.934411: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.934414: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.934417: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.934420: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:33.934422: | emitting length of IKEv2 Encryption Payload: 52 Sep 21 07:16:33.934425: | emitting length of ISAKMP Message: 80 Sep 21 07:16:33.934467: | data being hmac: df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:33.934471: | data being hmac: 2e 20 25 00 00 00 00 00 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.934474: | data being hmac: 3f 83 12 b9 38 2b dc 5b 02 c6 b9 6b 5a 84 4d a8 Sep 21 07:16:33.934476: | data being hmac: 71 e9 5d e6 a0 4e 5e 64 0a 94 6d d2 71 2a 8e 11 Sep 21 07:16:33.934479: | out calculated auth: Sep 21 07:16:33.934482: | a0 88 97 74 ef 55 c0 e9 4e 2f 5c 6d 50 2c 21 73 Sep 21 07:16:33.934489: | sending 80 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #4) Sep 21 07:16:33.934493: | df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:33.934495: | 2e 20 25 00 00 00 00 00 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.934498: | 3f 83 12 b9 38 2b dc 5b 02 c6 b9 6b 5a 84 4d a8 Sep 21 07:16:33.934500: | 71 e9 5d e6 a0 4e 5e 64 0a 94 6d d2 71 2a 8e 11 Sep 21 07:16:33.934502: | a0 88 97 74 ef 55 c0 e9 4e 2f 5c 6d 50 2c 21 73 Sep 21 07:16:33.934552: | Message ID: IKE #2 sender #4 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Sep 21 07:16:33.934557: | Message ID: IKE #2 sender #4 in send_delete hacking around record ' send Sep 21 07:16:33.934563: | Message ID: sent #2 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1->0 wip.responder=-1 Sep 21 07:16:33.934566: | state #4 requesting EVENT_SA_REKEY to be deleted Sep 21 07:16:33.934571: | libevent_free: release ptr-libevent@0x7f7808006900 Sep 21 07:16:33.934575: | free_event_entry: release EVENT_SA_REKEY-pe@0x7f7808002b20 Sep 21 07:16:33.934645: | delete esp.c8d0fe50@192.1.3.33 Sep 21 07:16:33.934673: | netlink response for Del SA esp.c8d0fe50@192.1.3.33 included non-error error Sep 21 07:16:33.934677: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:33.934685: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.22.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Sep 21 07:16:33.934695: | raw_eroute result=success Sep 21 07:16:33.934698: | delete esp.543d207b@192.1.2.23 Sep 21 07:16:33.934721: | netlink response for Del SA esp.543d207b@192.1.2.23 included non-error error Sep 21 07:16:33.934727: | in connection_discard for connection north-eastnets/0x2 Sep 21 07:16:33.934730: | State DB: deleting IKEv2 state #4 in V2_IPSEC_R Sep 21 07:16:33.934733: | child state #4: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Sep 21 07:16:33.934749: | stop processing: state #4 from 192.1.3.33:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.934757: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:16:33.934759: | state #3 Sep 21 07:16:33.934762: | state #2 Sep 21 07:16:33.934764: | state #1 Sep 21 07:16:33.934766: | pass 1 Sep 21 07:16:33.934769: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:16:33.934771: | state #3 Sep 21 07:16:33.934773: | state #2 Sep 21 07:16:33.934778: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:16:33.934781: | pstats #2 ikev2.ike deleted completed Sep 21 07:16:33.934792: | #2 spent 12.8 milliseconds in total Sep 21 07:16:33.934800: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.3.33:500 (in delete_state() at state.c:879) Sep 21 07:16:33.934804: "north-eastnets/0x2" #2: deleting state (STATE_PARENT_R2) aged 2.866s and sending notification Sep 21 07:16:33.934807: | parent state #2: PARENT_R2(established IKE SA) => delete Sep 21 07:16:33.934859: | #2 send IKEv2 delete notification for STATE_PARENT_R2 Sep 21 07:16:33.934863: | Opening output PBS informational exchange delete request Sep 21 07:16:33.934866: | **emit ISAKMP Message: Sep 21 07:16:33.934868: | initiator cookie: Sep 21 07:16:33.934871: | df a1 f0 f4 bf 5a d1 b5 Sep 21 07:16:33.934873: | responder cookie: Sep 21 07:16:33.934875: | 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:33.934878: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:33.934880: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.934883: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:16:33.934885: | flags: none (0x0) Sep 21 07:16:33.934888: | Message ID: 1 (0x1) Sep 21 07:16:33.934890: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:33.934893: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:33.934896: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.934898: | flags: none (0x0) Sep 21 07:16:33.934901: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:33.934904: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:16:33.934907: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:33.934912: | ****emit IKEv2 Delete Payload: Sep 21 07:16:33.934915: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.934917: | flags: none (0x0) Sep 21 07:16:33.934920: | protocol ID: PROTO_v2_IKE (0x1) Sep 21 07:16:33.934922: | SPI size: 0 (0x0) Sep 21 07:16:33.934924: | number of SPIs: 0 (0x0) Sep 21 07:16:33.934927: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:16:33.934930: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:16:33.934933: | emitting length of IKEv2 Delete Payload: 8 Sep 21 07:16:33.934935: | adding 8 bytes of padding (including 1 byte padding-length) Sep 21 07:16:33.934938: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.934941: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.934944: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.934947: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.934949: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.934954: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.934957: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.934960: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.934963: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:33.934965: | emitting length of IKEv2 Encryption Payload: 52 Sep 21 07:16:33.934968: | emitting length of ISAKMP Message: 80 Sep 21 07:16:33.934992: | data being hmac: df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:33.934996: | data being hmac: 2e 20 25 00 00 00 00 01 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.934999: | data being hmac: ba 58 08 30 2c d1 40 68 ea f3 82 2d 47 17 38 32 Sep 21 07:16:33.935001: | data being hmac: b6 54 d6 47 18 a7 49 f6 b8 6b b6 0d e0 15 5c 5a Sep 21 07:16:33.935003: | out calculated auth: Sep 21 07:16:33.935006: | e4 fd f6 4d 99 80 29 53 45 b3 a7 6e e1 b9 ba bc Sep 21 07:16:33.935013: | sending 80 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #2) Sep 21 07:16:33.935015: | df a1 f0 f4 bf 5a d1 b5 2e c4 b9 50 1a 1f 6d 83 Sep 21 07:16:33.935018: | 2e 20 25 00 00 00 00 01 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.935020: | ba 58 08 30 2c d1 40 68 ea f3 82 2d 47 17 38 32 Sep 21 07:16:33.935022: | b6 54 d6 47 18 a7 49 f6 b8 6b b6 0d e0 15 5c 5a Sep 21 07:16:33.935025: | e4 fd f6 4d 99 80 29 53 45 b3 a7 6e e1 b9 ba bc Sep 21 07:16:33.935052: | Message ID: IKE #2 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Sep 21 07:16:33.935056: | Message ID: IKE #2 sender #2 in send_delete hacking around record ' send Sep 21 07:16:33.935061: | Message ID: #2 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=1 wip.responder=-1 Sep 21 07:16:33.935065: | Message ID: sent #2 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=0->1 wip.responder=-1 Sep 21 07:16:33.935068: | state #2 requesting EVENT_SA_REKEY to be deleted Sep 21 07:16:33.935072: | libevent_free: release ptr-libevent@0x563a2098deb0 Sep 21 07:16:33.935075: | free_event_entry: release EVENT_SA_REKEY-pe@0x563a2098de70 Sep 21 07:16:33.935078: | State DB: IKEv2 state not found (flush_incomplete_children) Sep 21 07:16:33.935080: | picked newest_isakmp_sa #1 for #2 Sep 21 07:16:33.935083: "north-eastnets/0x2" #2: deleting IKE SA for connection 'north-eastnets/0x2' but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS Sep 21 07:16:33.935087: | add revival: connection 'north-eastnets/0x2' added to the list and scheduled for 0 seconds Sep 21 07:16:33.935090: | global one-shot timer EVENT_REVIVE_CONNS scheduled in 0 seconds Sep 21 07:16:33.935094: | in connection_discard for connection north-eastnets/0x2 Sep 21 07:16:33.935097: | State DB: deleting IKEv2 state #2 in PARENT_R2 Sep 21 07:16:33.935100: | parent state #2: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Sep 21 07:16:33.935104: | unreference key: 0x563a20914f60 @north cnt 2-- Sep 21 07:16:33.935116: | stop processing: state #2 from 192.1.3.33:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.935122: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:16:33.935125: | state #1 Sep 21 07:16:33.935130: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:16:33.935133: | pstats #1 ikev2.ike deleted completed Sep 21 07:16:33.935136: | #1 spent 9.78 milliseconds in total Sep 21 07:16:33.935141: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.3.33:500 (in delete_state() at state.c:879) Sep 21 07:16:33.935147: "north-eastnets/0x2" #1: deleting state (STATE_PARENT_I3) aged 3.796s and sending notification Sep 21 07:16:33.935150: | parent state #1: PARENT_I3(established IKE SA) => delete Sep 21 07:16:33.935206: | #1 send IKEv2 delete notification for STATE_PARENT_I3 Sep 21 07:16:33.935210: | Opening output PBS informational exchange delete request Sep 21 07:16:33.935212: | **emit ISAKMP Message: Sep 21 07:16:33.935215: | initiator cookie: Sep 21 07:16:33.935217: | cc 16 75 8d 92 e6 25 81 Sep 21 07:16:33.935219: | responder cookie: Sep 21 07:16:33.935221: | 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.935224: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:16:33.935227: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:16:33.935230: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:16:33.935232: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:16:33.935235: | Message ID: 5 (0x5) Sep 21 07:16:33.935237: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:16:33.935240: | ***emit IKEv2 Encryption Payload: Sep 21 07:16:33.935243: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.935245: | flags: none (0x0) Sep 21 07:16:33.935248: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:16:33.935251: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:16:33.935254: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:16:33.935260: | ****emit IKEv2 Delete Payload: Sep 21 07:16:33.935263: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:16:33.935265: | flags: none (0x0) Sep 21 07:16:33.935268: | protocol ID: PROTO_v2_IKE (0x1) Sep 21 07:16:33.935270: | SPI size: 0 (0x0) Sep 21 07:16:33.935273: | number of SPIs: 0 (0x0) Sep 21 07:16:33.935276: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:16:33.935278: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:16:33.935281: | emitting length of IKEv2 Delete Payload: 8 Sep 21 07:16:33.935284: | adding 8 bytes of padding (including 1 byte padding-length) Sep 21 07:16:33.935287: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.935289: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.935292: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.935295: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.935298: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.935300: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.935303: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.935306: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:16:33.935309: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:16:33.935311: | emitting length of IKEv2 Encryption Payload: 52 Sep 21 07:16:33.935314: | emitting length of ISAKMP Message: 80 Sep 21 07:16:33.935337: | data being hmac: cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.935340: | data being hmac: 2e 20 25 08 00 00 00 05 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.935343: | data being hmac: be fa b9 f3 0c de bd 6d bc 8f 88 7c 71 18 c4 81 Sep 21 07:16:33.935345: | data being hmac: 72 6f d8 ed 90 17 77 32 40 49 e5 d3 24 70 7d 3c Sep 21 07:16:33.935347: | out calculated auth: Sep 21 07:16:33.935350: | d1 cb bc bf a5 4b 90 4e 0e 36 03 f3 7a 55 2d 52 Sep 21 07:16:33.935358: | sending 80 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:16:33.935361: | cc 16 75 8d 92 e6 25 81 00 12 5c d6 ad 9b dc 4e Sep 21 07:16:33.935363: | 2e 20 25 08 00 00 00 05 00 00 00 50 2a 00 00 34 Sep 21 07:16:33.935366: | be fa b9 f3 0c de bd 6d bc 8f 88 7c 71 18 c4 81 Sep 21 07:16:33.935368: | 72 6f d8 ed 90 17 77 32 40 49 e5 d3 24 70 7d 3c Sep 21 07:16:33.935370: | d1 cb bc bf a5 4b 90 4e 0e 36 03 f3 7a 55 2d 52 Sep 21 07:16:33.935387: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=2->3 and sender msgid=1->2 Sep 21 07:16:33.935390: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Sep 21 07:16:33.935395: | Message ID: #1 XXX: expecting sender.wip.initiator 4 == -1 - suspect record'n'send out-of-order?); initiator.sent=5 initiator.recv=2 responder.sent=-1 responder.recv=-1 wip.initiator=5 wip.responder=-1 Sep 21 07:16:33.935400: | Message ID: sent #1 request 5; ike: initiator.sent=4->5 initiator.recv=2 responder.sent=-1 responder.recv=-1 wip.initiator=4->5 wip.responder=-1 Sep 21 07:16:33.935402: | state #1 requesting EVENT_SA_REKEY to be deleted Sep 21 07:16:33.935405: | libevent_free: release ptr-libevent@0x7f7804000f40 Sep 21 07:16:33.935408: | free_event_entry: release EVENT_SA_REKEY-pe@0x563a20998d50 Sep 21 07:16:33.935411: | State DB: IKEv2 state not found (flush_incomplete_children) Sep 21 07:16:33.935413: | picked newest_isakmp_sa #0 for #1 Sep 21 07:16:33.935416: "north-eastnets/0x2" #1: deleting IKE SA for connection 'north-eastnets/0x2' but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS Sep 21 07:16:33.935419: | in connection_discard for connection north-eastnets/0x2 Sep 21 07:16:33.935422: | State DB: deleting IKEv2 state #1 in PARENT_I3 Sep 21 07:16:33.935425: | parent state #1: PARENT_I3(established IKE SA) => UNDEFINED(ignore) Sep 21 07:16:33.935428: | unreference key: 0x563a20914f60 @north cnt 1-- Sep 21 07:16:33.935440: | stop processing: state #1 from 192.1.3.33:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.935457: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:16:33.935463: | shunt_eroute() called for connection 'north-eastnets/0x2' to 'delete' for rt_kind 'unrouted' using protoports 192.0.22.0/24:0 --0->- 192.0.3.0/24:0 Sep 21 07:16:33.935469: | netlink_shunt_eroute for proto 0, and source 192.0.22.0/24:0 dest 192.0.3.0/24:0 Sep 21 07:16:33.935472: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:33.935502: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Sep 21 07:16:33.935512: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:33.935516: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:33.935519: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Sep 21 07:16:33.935521: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:16:33.935524: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:33.935528: | route owner of "north-eastnets/0x2" unrouted: "north-eastnets/0x1" prospective erouted Sep 21 07:16:33.935531: | flush revival: connection 'north-eastnets/0x2' revival flushed Sep 21 07:16:33.935534: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Sep 21 07:16:33.935540: | start processing: connection "north-eastnets/0x1" (in delete_connection() at connections.c:189) Sep 21 07:16:33.935543: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:16:33.935545: | pass 0 Sep 21 07:16:33.935547: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:16:33.935549: | state #3 Sep 21 07:16:33.935553: | suspend processing: connection "north-eastnets/0x1" (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:16:33.935558: | start processing: state #3 connection "north-eastnets/0x1" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:16:33.935562: | pstats #3 ikev2.child deleted completed Sep 21 07:16:33.935567: | [RE]START processing: state #3 connection "north-eastnets/0x1" from 192.1.3.33:500 (in delete_state() at state.c:879) Sep 21 07:16:33.935570: | deleting state but IKE SA does not exist for this child SA so Informational Exchange cannot be sent Sep 21 07:16:33.935573: "north-eastnets/0x1" #3: deleting state (STATE_V2_IPSEC_R) aged 2.850s and NOT sending notification Sep 21 07:16:33.935576: | child state #3: V2_IPSEC_R(established CHILD SA) => delete Sep 21 07:16:33.935580: | get_sa_info esp.2d973bf0@192.1.3.33 Sep 21 07:16:33.935589: | get_sa_info esp.ecbd618@192.1.2.23 Sep 21 07:16:33.935597: "north-eastnets/0x1" #3: ESP traffic information: in=1KB out=1KB Sep 21 07:16:33.935600: | deleting state but IKE SA does not exist for this child SA so Informational Exchange cannot be sent Sep 21 07:16:33.935604: | child state #3: V2_IPSEC_R(established CHILD SA) => CHILDSA_DEL(informational) Sep 21 07:16:33.935606: | state #3 requesting EVENT_SA_REKEY to be deleted Sep 21 07:16:33.935609: | libevent_free: release ptr-libevent@0x563a20998220 Sep 21 07:16:33.935612: | free_event_entry: release EVENT_SA_REKEY-pe@0x563a20995ad0 Sep 21 07:16:33.935664: | delete esp.2d973bf0@192.1.3.33 Sep 21 07:16:33.935689: | netlink response for Del SA esp.2d973bf0@192.1.3.33 included non-error error Sep 21 07:16:33.935693: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:33.935699: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Sep 21 07:16:33.935708: | raw_eroute result=success Sep 21 07:16:33.935712: | delete esp.ecbd618@192.1.2.23 Sep 21 07:16:33.935732: | netlink response for Del SA esp.ecbd618@192.1.2.23 included non-error error Sep 21 07:16:33.935737: | stop processing: connection "north-eastnets/0x1" (BACKGROUND) (in update_state_connection() at connections.c:4037) Sep 21 07:16:33.935740: | start processing: connection NULL (in update_state_connection() at connections.c:4038) Sep 21 07:16:33.935742: | in connection_discard for connection north-eastnets/0x1 Sep 21 07:16:33.935745: | State DB: deleting IKEv2 state #3 in CHILDSA_DEL Sep 21 07:16:33.935748: | child state #3: CHILDSA_DEL(informational) => UNDEFINED(ignore) Sep 21 07:16:33.935752: | stop processing: state #3 from 192.1.3.33:500 (in delete_state() at state.c:1143) Sep 21 07:16:33.935766: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:16:33.935769: | pass 1 Sep 21 07:16:33.935772: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:16:33.935777: | shunt_eroute() called for connection 'north-eastnets/0x1' to 'delete' for rt_kind 'unrouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.0/24:0 Sep 21 07:16:33.935788: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.0/24:0 Sep 21 07:16:33.935793: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:33.935819: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Sep 21 07:16:33.935829: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:16:33.935832: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Sep 21 07:16:33.935835: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Sep 21 07:16:33.935838: | route owner of "north-eastnets/0x1" unrouted: NULL Sep 21 07:16:33.935841: | running updown command "ipsec _updown" for verb unroute Sep 21 07:16:33.935844: | command executing unroute-client Sep 21 07:16:33.935869: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' Sep 21 07:16:33.935875: | popen cmd is 1033 chars long Sep 21 07:16:33.935878: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets: Sep 21 07:16:33.935881: | cmd( 80):/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' P: Sep 21 07:16:33.935883: | cmd( 160):LUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0: Sep 21 07:16:33.935886: | cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' P: Sep 21 07:16:33.935889: | cmd( 320):LUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID: Sep 21 07:16:33.935891: | cmd( 400):='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLU: Sep 21 07:16:33.935894: | cmd( 480):TO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' : Sep 21 07:16:33.935896: | cmd( 560):PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASI: Sep 21 07:16:33.935899: | cmd( 640):G+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CON: Sep 21 07:16:33.935901: | cmd( 720):N_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_: Sep 21 07:16:33.935904: | cmd( 800):CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' : Sep 21 07:16:33.935906: | cmd( 880):PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' V: Sep 21 07:16:33.935909: | cmd( 960):TI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Sep 21 07:16:33.956420: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956434: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956437: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956439: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956441: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956443: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956446: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956448: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956450: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956452: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956454: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956457: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956459: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956461: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956463: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956466: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956468: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956470: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956472: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956475: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956477: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956479: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956481: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956486: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956488: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956490: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956493: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956495: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956497: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956499: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.956502: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:16:33.962799: | free hp@0x563a209585d0 Sep 21 07:16:33.962814: | flush revival: connection 'north-eastnets/0x1' wasn't on the list Sep 21 07:16:33.962818: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Sep 21 07:16:33.962825: | crl fetch request list locked by 'free_crl_fetch' Sep 21 07:16:33.962827: | crl fetch request list unlocked by 'free_crl_fetch' Sep 21 07:16:33.962838: shutting down interface lo/lo 127.0.0.1:4500 Sep 21 07:16:33.962842: shutting down interface lo/lo 127.0.0.1:500 Sep 21 07:16:33.962845: shutting down interface eth0/eth0 192.0.2.254:4500 Sep 21 07:16:33.962848: shutting down interface eth0/eth0 192.0.2.254:500 Sep 21 07:16:33.962852: shutting down interface eth0/eth0 192.0.22.251:4500 Sep 21 07:16:33.962855: shutting down interface eth0/eth0 192.0.22.251:500 Sep 21 07:16:33.962858: shutting down interface eth0/eth0 192.0.22.254:4500 Sep 21 07:16:33.962861: shutting down interface eth0/eth0 192.0.22.254:500 Sep 21 07:16:33.962864: shutting down interface eth0/eth0 192.0.2.251:4500 Sep 21 07:16:33.962867: shutting down interface eth0/eth0 192.0.2.251:500 Sep 21 07:16:33.962871: shutting down interface eth1/eth1 192.1.2.23:4500 Sep 21 07:16:33.962874: shutting down interface eth1/eth1 192.1.2.23:500 Sep 21 07:16:33.962879: | FOR_EACH_STATE_... in delete_states_dead_interfaces Sep 21 07:16:33.962888: | libevent_free: release ptr-libevent@0x563a2098c020 Sep 21 07:16:33.962892: | free_event_entry: release EVENT_NULL-pe@0x563a2098bfe0 Sep 21 07:16:33.962902: | libevent_free: release ptr-libevent@0x563a2098c110 Sep 21 07:16:33.962905: | free_event_entry: release EVENT_NULL-pe@0x563a2098c0d0 Sep 21 07:16:33.962912: | libevent_free: release ptr-libevent@0x563a2098c200 Sep 21 07:16:33.962915: | free_event_entry: release EVENT_NULL-pe@0x563a2098c1c0 Sep 21 07:16:33.962921: | libevent_free: release ptr-libevent@0x563a2098c2f0 Sep 21 07:16:33.962923: | free_event_entry: release EVENT_NULL-pe@0x563a2098c2b0 Sep 21 07:16:33.962929: | libevent_free: release ptr-libevent@0x563a2098ca60 Sep 21 07:16:33.962932: | free_event_entry: release EVENT_NULL-pe@0x563a2098ddf0 Sep 21 07:16:33.962938: | libevent_free: release ptr-libevent@0x563a2098cb50 Sep 21 07:16:33.962941: | free_event_entry: release EVENT_NULL-pe@0x563a2098cb10 Sep 21 07:16:33.962947: | libevent_free: release ptr-libevent@0x563a2098cc40 Sep 21 07:16:33.962949: | free_event_entry: release EVENT_NULL-pe@0x563a2098cc00 Sep 21 07:16:33.962956: | libevent_free: release ptr-libevent@0x563a2098cd30 Sep 21 07:16:33.962959: | free_event_entry: release EVENT_NULL-pe@0x563a2098ccf0 Sep 21 07:16:33.962964: | libevent_free: release ptr-libevent@0x563a2098ce20 Sep 21 07:16:33.962967: | free_event_entry: release EVENT_NULL-pe@0x563a2098cde0 Sep 21 07:16:33.962973: | libevent_free: release ptr-libevent@0x563a2098cf10 Sep 21 07:16:33.962976: | free_event_entry: release EVENT_NULL-pe@0x563a2098ced0 Sep 21 07:16:33.962982: | libevent_free: release ptr-libevent@0x563a2098d000 Sep 21 07:16:33.962985: | free_event_entry: release EVENT_NULL-pe@0x563a2098cfc0 Sep 21 07:16:33.962991: | libevent_free: release ptr-libevent@0x563a2098d0f0 Sep 21 07:16:33.962993: | free_event_entry: release EVENT_NULL-pe@0x563a2098d0b0 Sep 21 07:16:33.962999: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:16:33.963422: | libevent_free: release ptr-libevent@0x563a2098b5a0 Sep 21 07:16:33.963432: | free_event_entry: release EVENT_NULL-pe@0x563a2096f450 Sep 21 07:16:33.963437: | libevent_free: release ptr-libevent@0x563a209810b0 Sep 21 07:16:33.963440: | free_event_entry: release EVENT_NULL-pe@0x563a20974ec0 Sep 21 07:16:33.963444: | libevent_free: release ptr-libevent@0x563a20981020 Sep 21 07:16:33.963446: | free_event_entry: release EVENT_NULL-pe@0x563a20974f00 Sep 21 07:16:33.963449: | global timer EVENT_REINIT_SECRET uninitialized Sep 21 07:16:33.963451: | global timer EVENT_SHUNT_SCAN uninitialized Sep 21 07:16:33.963454: | global timer EVENT_PENDING_DDNS uninitialized Sep 21 07:16:33.963456: | global timer EVENT_PENDING_PHASE2 uninitialized Sep 21 07:16:33.963458: | global timer EVENT_CHECK_CRLS uninitialized Sep 21 07:16:33.963461: | global timer EVENT_REVIVE_CONNS uninitialized Sep 21 07:16:33.963463: | global timer EVENT_FREE_ROOT_CERTS uninitialized Sep 21 07:16:33.963465: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Sep 21 07:16:33.963467: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Sep 21 07:16:33.963472: | libevent_free: release ptr-libevent@0x563a2098b670 Sep 21 07:16:33.963475: | signal event handler PLUTO_SIGCHLD uninstalled Sep 21 07:16:33.963478: | libevent_free: release ptr-libevent@0x563a2098b750 Sep 21 07:16:33.963480: | signal event handler PLUTO_SIGTERM uninstalled Sep 21 07:16:33.963483: | libevent_free: release ptr-libevent@0x563a2098b810 Sep 21 07:16:33.963485: | signal event handler PLUTO_SIGHUP uninstalled Sep 21 07:16:33.963488: | libevent_free: release ptr-libevent@0x563a20980420 Sep 21 07:16:33.963490: | signal event handler PLUTO_SIGSYS uninstalled Sep 21 07:16:33.963492: | releasing event base Sep 21 07:16:33.963506: | libevent_free: release ptr-libevent@0x563a2098b8d0 Sep 21 07:16:33.963509: | libevent_free: release ptr-libevent@0x563a20960e60 Sep 21 07:16:33.963513: | libevent_free: release ptr-libevent@0x563a2096f790 Sep 21 07:16:33.963516: | libevent_free: release ptr-libevent@0x563a2098c3f0 Sep 21 07:16:33.963518: | libevent_free: release ptr-libevent@0x563a2096f7b0 Sep 21 07:16:33.963521: | libevent_free: release ptr-libevent@0x563a2098b630 Sep 21 07:16:33.963524: | libevent_free: release ptr-libevent@0x563a2098b710 Sep 21 07:16:33.963526: | libevent_free: release ptr-libevent@0x563a2096f840 Sep 21 07:16:33.963529: | libevent_free: release ptr-libevent@0x563a209741e0 Sep 21 07:16:33.963531: | libevent_free: release ptr-libevent@0x563a20974200 Sep 21 07:16:33.963533: | libevent_free: release ptr-libevent@0x563a2098d180 Sep 21 07:16:33.963536: | libevent_free: release ptr-libevent@0x563a2098d090 Sep 21 07:16:33.963538: | libevent_free: release ptr-libevent@0x563a2098cfa0 Sep 21 07:16:33.963540: | libevent_free: release ptr-libevent@0x563a2098ceb0 Sep 21 07:16:33.963543: | libevent_free: release ptr-libevent@0x563a2098cdc0 Sep 21 07:16:33.963545: | libevent_free: release ptr-libevent@0x563a2098ccd0 Sep 21 07:16:33.963547: | libevent_free: release ptr-libevent@0x563a2098cbe0 Sep 21 07:16:33.963550: | libevent_free: release ptr-libevent@0x563a2098caf0 Sep 21 07:16:33.963552: | libevent_free: release ptr-libevent@0x563a2098c380 Sep 21 07:16:33.963555: | libevent_free: release ptr-libevent@0x563a2098c290 Sep 21 07:16:33.963557: | libevent_free: release ptr-libevent@0x563a2098c1a0 Sep 21 07:16:33.963559: | libevent_free: release ptr-libevent@0x563a2098c0b0 Sep 21 07:16:33.963562: | libevent_free: release ptr-libevent@0x563a208f1370 Sep 21 07:16:33.963565: | libevent_free: release ptr-libevent@0x563a2098b7f0 Sep 21 07:16:33.963568: | libevent_free: release ptr-libevent@0x563a2098b730 Sep 21 07:16:33.963571: | libevent_free: release ptr-libevent@0x563a2098b650 Sep 21 07:16:33.963573: | libevent_free: release ptr-libevent@0x563a2098b8b0 Sep 21 07:16:33.963575: | libevent_free: release ptr-libevent@0x563a208ef6c0 Sep 21 07:16:33.963578: | libevent_free: release ptr-libevent@0x563a2096f7d0 Sep 21 07:16:33.963580: | libevent_free: release ptr-libevent@0x563a2096f800 Sep 21 07:16:33.963582: | libevent_free: release ptr-libevent@0x563a2096f4f0 Sep 21 07:16:33.963591: | releasing global libevent data Sep 21 07:16:33.963595: | libevent_free: release ptr-libevent@0x563a2096e1e0 Sep 21 07:16:33.963597: | libevent_free: release ptr-libevent@0x563a2096f490 Sep 21 07:16:33.963600: | libevent_free: release ptr-libevent@0x563a2096f4c0